Exposing the Security Weaknesses We Tend to Overlook
Woburn, MA – September 24—Experts from Kaspersky Lab and Outpost24 recently carried out a security audit at a number of European organizations and studied the prevalence of unpatched vulnerabilities globally to get a better understanding of the IT (in)security landscape.
Their joint report illustrates that even unsophisticated attacks on corporate networks can succeed without expensive zero-day exploits. Though the number of zero-day attacks is on the rise, cybercriminals still make extensive use of known vulnerabilities. This is hardly surprising considering it takes the average company 60-70 days to fix a vulnerability – enough time for attackers to gain access to a corporate network. The expert team’s security audit also revealed there is no need for cybercriminals to hack a corporate system; they simply need to ‘hack’ the people that manage the system.
A common baseline is for all critical vulnerabilities to be resolved within three months. But 77% of the threats that passed this three-month deadline were still present a full year after being discovered. The Kaspersky Lab and Outpost24 joint research team collected data on vulnerabilities dating back to 2010, and found systems that had been vulnerable for the past three years. These unpatched vulnerabilities are considered critical due to the ease with which they can be exploited and the impact they can have. Interestingly, there were even some corporate systems that had remained unpatched for a decade despite the fact that the companies were paying for a special service to monitor their security.
After collecting the data with the Outpost24 team, Kaspersky Lab’s senior security researcher David Jacoby decided to carry out a social engineering experiment to see how easy it was to insert a USB drive into computers at government institutions, hotels and privately owned companies. Dressed in a smart suit and armed with a USB stick containing only a PDF of his resume, David asked front desk staff at 11 organizations if they could help him print out a document for an appointment at a completely unrelated venue.
The sample group in this security audit included three hotels from different chains, six government organizations and two large privately owned companies. Computers at government bodies typically store sensitive information about citizens, while those at major private companies most likely contain network connections to other companies, and five-star hotels are places where diplomats, politicians and C-level executives stay when traveling.
Only one hotel agreed to connect David’s stick to their computer; the other two refused. The privately owned companies also declined his request. Out of the six government organizations visited, four actually did help David by inserting the USB stick into a computer. In two cases the USB port was disabled, so the staff asked him to send the file via email instead, providing ample scope to exploit vulnerabilities in PDF software.
David Jacoby, Senior Security Researcher
Global Research & Analysis Team, Kaspersky Lab
“What is really surprising is that the hotels and privately owned companies had greater awareness and security than the government organizations. From this firsthand experience it is fair to conclude that there is a real problem. The security audit we performed is relevant for any country because that gap between the moment a vulnerability is detected and the moment it’s patched exists everywhere, in every country. The result of my USB stick experiment is also a wake-up call for those searching for tailored security solutions that cover the ‘threats of tomorrow’ – it highlighted that training your staff to be prudent is just as important!”
Jartelius, Chief Security Officer
“It is a shame to see companies wasting valuable resources on potential threats of tomorrow, when they are still failing to solve the threats of today and yesterday, Whether it’s exploiting poor security practices, misconfigured security devices or staff that lacks security training, companies should understand that it is possible to gain control of most parts of the organization, even though no new attacks or methods are used. It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes.”
To read the full report, please visit Securelist.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
Securelist | Information about Viruses, Hackers and
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.