Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Neglect These 'Second-Tier' Vulnerabilities at Your Own Risk

By now you should be familiar with the "mega" vulnerabilities that were assigned splashy monikers over the past 15 months, a trend that previously had been reserved for dangerous malware and successful exploit groups.

In some cases, this new branding strategy was well thought out (and complete with logos of bleeding hearts), while in others, the name for the famous flaw just kind of stuck. Regardless, these naming exercises are genuinely significant because they attract widespread attention for serious digital risks.

But also important to keep in mind: For every Heartbleed, Shellshock and POODLE, there are thousands of other vulnerabilities that are anything but household names - yet perhaps they should be.

The 2015 Trustwave Global Security Report, released last month, offers valuable insight into the vulnerabilities that have placed organizations across the world at risk. The report covers the "celebrity" examples, but also devotes ample real estate to the less heralded weaknesses. And for good reason. As the report notes: "Sophisticated attackers prefer their vulnerabilities with a little less fanfare." In fact, in the fourth quarter of 2014, of the vulnerabilities identified in host-based scans performed by Trustwave, fewer than 1 percent were Heartbleed. The same went for Shellshock.

So which vulnerabilities are we most often spotting? Here are two categories of vulnerabilities that have experienced massive exploitation in recent months, but probably didn't make the evening news.

The zero-days

Trustwave researchers in 2014 tallied 22 "high-profile" zero-day vulnerabilities, for which no patch or anti-virus signature was available at the time of discovery. That makes them far more threatening to the average organization. In many cases, these bugs affect common software that businesses use every day.

Of the 22 zero-days, 10 affected Microsoft products and five impacted Adobe, with four of those five involving Flash. Flash is a big-time target due to its widespread use and ease of exploitation - enough so that one prominent security journalist recently chronicled his experience in going one month without using the software. And just this week, potentially several Flash zero-day vulnerabilities have emerged as part of a data dump.

The primary purpose of zero-day vulnerabilities is to fly under the radar. Once these defects become known to the security community at large, they become far less valuable. As such, most zero-day exploits are used sparingly and on specific, high-value targets. However, in some cases, zero-days are included in exploit kits, a thriving trade on the criminal underground.

The known but unpatched

A second class of vulnerability that organizations should fret over are weaknesses that have been patched, but which attackers are still widely exploiting because businesses have been tardy to apply fixes.

For that, we turned to our internal and external network vulnerability scanners, which observed years-old vulnerabilities, such as RC4 weak ciphers, that result in insecure server configurations for Secure Socket Layer (SSL) and Transmission Layer Security (TLS).

While SSL certificates themselves aren't the problem, organizations must cease supporting outdated and vulnerable SSL/TLS protocols on web servers and other services - the same guidance that the PCI Security Standards Council just issued to businesses handling credit and debit cards.

(For a full rundown of the vulnerabilities referenced above and their specific CVE numbers, check out the 2015 Trustwave Global Security Report).

What to do?

Oftentimes, zero-day exploits make it through and patches are missed because an organization lacks the requisite in-house skills or headcount to keep up. The bottom line is that companies commonly run so many systems with potential holes that they require assistance in the form of managed vulnerability scanning and deep-dive pen testing across their IT inventory of databases, networks and applications. And they should consider combining this testing with a managed service that addresses malware, zero-day vulnerabilities and blended threats in real time.

Among other things, managed security services providers (MSSPs) can help strained businesses cover more threat vectors, respond to emerging threats faster and keep systems more up to date.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.