Old Vulnerabilities: The Stuff of Cybersecurity Nightmares

“As a security professional, what keeps you up at night?

I get this question all the time when speaking at various security events. There are a myriad of security-related problems that keep me up at night, but the one that weighs on my mind most is the sheer number of old vulnerabilities — we’re talking vulnerabilities at least a year old or more — that are still being successfully exploited.

According to Secunia, more than 15,000 vulnerabilities were discovered across nearly 4,000 products in 2014 alone.

So, why does this bother me so much? Because exposing yourself to risk through old vulnerabilities is unnecessary.

Vendors typically release patches for the most severe CVEs very quickly after they’re discovered, with 83 percent releasing them on the same day as disclosure. I’d like to say that, in light of this information, there’s no reason for organizations to be susceptible to old vulnerabilities, but that’s not entirely true.

Problems arise when there are so many patches per month or year that IT simply cannot keep up, as well as when vulnerable software runs on systems so critical that any downtime would endanger employee safety or cost the company millions of dollars in lost productivity. The vulnerability problem becomes an insurmountable obstacle that gets perpetually more difficult to tackle with each passing day. However, there are processes and technologies available to help solve these problems.

In a previous post, I explained how to go about making applications more secure. At the risk of being repetitive, I’m going to harp on the same points I made in that post, but only because software vulnerabilities are a serious problem that affect everyone, from your CEO to your mom.

Vendors can certainly do more to make sure fewer vulnerabilities reach production, by practicing secure coding and software development life cycles, and using web application firewalls. However, software vulnerabilities are a fact of life, and we’re not going to eradicate them anytime soon. Knowing this, enterprise software customers can do some things to protect themselves:

• Segment your network. Architect it using the Zero Trust methodology, and make sure you know exactly which applications, users, data, and devices are traversing which segments.
• Secure each segment with technologies that target multiple stages in the attack lifecycle, so that attackers are forced to spend the time and resources to craft completely new zero-day exploits and malware, and brand new command and control domains. Cyber criminals won’t be so set on attacking you if it’s cost-prohibitive or requires too much time and attention.
• Use an intrusion prevention system whose signatures can stop more than a single exploit. Just like skinning a cat, there are many ways to exploit a vulnerability, so your protection must protect the vulnerability itself, regardless of which exploit is used.

Let’s stop attackers in their tracks — or at least make it difficult to poke holes in the software we use.

Find out more about Palo Alto Networks Intrusion Prevention System here.