Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Neglect These 'Second-Tier' Vulnerabilities at Your Own Risk

By now you should be familiar with the "mega" vulnerabilities that were assigned splashy monikers over the past 15 months, a trend that previously had been reserved for dangerous malware and successful exploit groups.

In some cases, this new branding strategy was well thought out (and complete with logos of bleeding hearts), while in others, the name for the famous flaw just kind of stuck. Regardless, these naming exercises are genuinely significant because they attract widespread attention for serious digital risks.

But also important to keep in mind: For every Heartbleed, Shellshock and POODLE, there are thousands of other vulnerabilities that are anything but household names - yet perhaps they should be.

The 2015 Trustwave Global Security Report, released last month, offers valuable insight into the vulnerabilities that have placed organizations across the world at risk. The report covers the "celebrity" examples, but also devotes ample real estate to the less heralded weaknesses. And for good reason. As the report notes: "Sophisticated attackers prefer their vulnerabilities with a little less fanfare." In fact, in the fourth quarter of 2014, of the vulnerabilities identified in host-based scans performed by Trustwave, fewer than 1 percent were Heartbleed. The same went for Shellshock.

So which vulnerabilities are we most often spotting? Here are two categories of vulnerabilities that have experienced massive exploitation in recent months, but probably didn't make the evening news.

The zero-days

Trustwave researchers in 2014 tallied 22 "high-profile" zero-day vulnerabilities, for which no patch or anti-virus signature was available at the time of discovery. That makes them far more threatening to the average organization. In many cases, these bugs affect common software that businesses use every day.

Of the 22 zero-days, 10 affected Microsoft products and five impacted Adobe, with four of those five involving Flash. Flash is a big-time target due to its widespread use and ease of exploitation - enough so that one prominent security journalist recently chronicled his experience in going one month without using the software. And just this week, potentially several Flash zero-day vulnerabilities have emerged as part of a data dump.

The primary purpose of zero-day vulnerabilities is to fly under the radar. Once these defects become known to the security community at large, they become far less valuable. As such, most zero-day exploits are used sparingly and on specific, high-value targets. However, in some cases, zero-days are included in exploit kits, a thriving trade on the criminal underground.

The known but unpatched

A second class of vulnerability that organizations should fret over are weaknesses that have been patched, but which attackers are still widely exploiting because businesses have been tardy to apply fixes.

For that, we turned to our internal and external network vulnerability scanners, which observed years-old vulnerabilities, such as RC4 weak ciphers, that result in insecure server configurations for Secure Socket Layer (SSL) and Transmission Layer Security (TLS).

While SSL certificates themselves aren't the problem, organizations must cease supporting outdated and vulnerable SSL/TLS protocols on web servers and other services - the same guidance that the PCI Security Standards Council just issued to businesses handling credit and debit cards.

(For a full rundown of the vulnerabilities referenced above and their specific CVE numbers, check out the 2015 Trustwave Global Security Report).

What to do?

Oftentimes, zero-day exploits make it through and patches are missed because an organization lacks the requisite in-house skills or headcount to keep up. The bottom line is that companies commonly run so many systems with potential holes that they require assistance in the form of managed vulnerability scanning and deep-dive pen testing across their IT inventory of databases, networks and applications. And they should consider combining this testing with a managed service that addresses malware, zero-day vulnerabilities and blended threats in real time.

Among other things, managed security services providers (MSSPs) can help strained businesses cover more threat vectors, respond to emerging threats faster and keep systems more up to date.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More