Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies

(Req)

These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

Vulnerabilities

A record year for new vulnerabilities

Craig Jett

VP, Global Security Consulting – Dimension Data

For over 10 years, Craig has worked in the cybersecurity field, establishing pragmatic, business-aligned security services offerings to increase his client’s security posture, while minimising their losses, protecting their brand reputation, and helping them to achieve return on their security investments.

Follow on LinkedIn

Vulnerabilities surge ─ and weaponised


2018 set a record for the number of new vulnerabilities identified and reported in a single year

This year, Dimension Data’s Executive Guide to the annual NTT Security 2019 Global Threat Intelligence Report highlighted an increase of 12.5% in the number of new vulnerabilities discovered during 2018.

Graph showing growth in vulnerabilities

Figure 1: Growth in vulnerabilities

In this article, I’ll delve into some of the findings that we’ve uncovered regarding this dramatic rise in vulnerabilities, discuss their causes and impacts, and provide some practical recommendations on how to raise your business’ defences.

How are vulnerabilities becoming ‘weaponised’?

The ‘weaponisation’ of vulnerabilities means that cybercriminals are exploiting them to launch highly co-ordinated attacks against individuals, businesses, and specific groups, by using a combination of technical and non-technical tools. Often these vulnerabilities are targeted in automated exploit kits, which are developed by criminal groups and monetised in various online forums.

These exceptionally well-organised campaigns are becoming more robust, precise, and targeted than ever before. Attacks are being informed by in-depth information that cybercriminals have gained from multiple sources about their targets. And they’re increasingly diversifying the manner in which they execute their attacks.

Let’s use the example of attacks on specific individuals. By scouring various channels – both legitimate and illicit – attackers are able to amass sufficient information about their targets to build a comprehensive profile about them. Gradually, they gather enough material to determine what’s going to be the most effective method(s) of attack and they’ll typically utilise multiple attack surfaces to pursue their targets.

Of course, organisations are also subjected to these types of co-ordinated attacks, but often an attack against an individual and a business are strongly connected.

For example, one of our client’s executives was approached by an individual masquerading as a respected leader of another business, regarding a potential merger. The approach was convincing, and the cybercriminals had gathered a wealth of information about the person purporting to represent the organisation seeking to be acquired. Here, of course, the ultimate objective was monetary gain to seal the acquisition deal.

Once cybercriminals have successfully compromised a company’s systems and stolen the information they want – they’ll sell it for profit on the dark web and/or attempt to extort funds or blackmail the organisation by threatening to sell their trade secrets to competitors.

These co-ordinated, longer-term types of attack are very different to what we’ve seen in the past, where attackers’ tactics were usually short and sharp: ‘Let’s break down the door, grab what we can, and run’. Organisations need to be aware of these shifts and adjust their defence mechanisms accordingly.

Many vulnerabilities were discovered in older software and have been present for years

These vulnerabilities often reside in older systems and ageing computers that are unable to run new versions of software, but are still being widely used today. For example, many hospitals operate medical equipment that runs on versions of Microsoft Windows as old as v3 or thereabouts. Generally, these devices operate perfectly well for their intended purpose. And this doesn’t just apply to hospitals: within most organisations, somewhere, you’ll likely find older devices and computers that have been repurposed to perform some kind of basic function ─ perhaps simply providing supporting as a print server, for instance. These devices present an attractive attack surface for hackers, as the system software is long-retired and is no longer being updated or patched. With little or no modern security controls protecting them, they can represent a cybersecurity risk. Here, a vulnerability assessment would be advisable.

However, many vulnerabilities to modern software still exist ─ and often for many years following their discovery. Bash, Shellshock, Apache Struts, and Samba are good examples of older vulnerabilities which continue to see significant exploit traffic. Shellshock, the critical flaw in Linux and Unix operating systems that can allow an attacker to run malicious code remotely on a targeted system, was first discovered in September of 2014. However, it continues to be left unpatched in many organisations.

These vulnerabilities offer a lucrative target for attackers. With minimal effort, intelligence-gathering on vulnerable systems can be automated, widening the range and scope of the scans.

With minimal effort, intelligence-gathering on vulnerable systems can be automated, widening the range and scope of the scans. Read more @Dimensiondata Tweet this

How do you balance the need to deal with both new and old vulnerabilities?

In addition to fending off traditional attacks, using tried-and-tested tools, security professionals now need to find ways to protect the organisation and their users from newer, more sophisticated types and methods of attack.

Some of the newer, emerging vulnerabilities, such as cryptojacking1 and the latest breed of web attacks, are relatively easy for cybercriminals to introduce into your environment, and often hard for you to detect. In some cases, all you need to do is visit a single, compromised webpage for your system to become infected by malware. You don’t even need to click on anything once you’re on the site.

This shift towards more sophisticated types of attack requires a very different defence mindset and model. In addition, everyone needs to be more vigilant ─ not just security professionals but also users ─ as today, it’s so much easier to unwittingly create system vulnerabilities.

Everyone needs to be more vigilant ─ not just security professionals but also users ─ as today, it’s so much easier to unwittingly create system vulnerabilities . Read more @Dimensiondata Tweet this

Many vulnerabilities exist in common systems, utilities and applications, and application code libraries used to support daily operations

This is because codes are generally written for a variety of purposes and housed in shared code libraries. It’s not uncommon for elements of existing code to be re-used or amalgamated into code that’s being used to develop new products or services, as they perform a specific, essential function.

However, if a piece of existing code happens to have a vulnerability ─ and it’s re-purposed by other developers who don’t perform appropriate testing on it ─ and it’s subsequently released, the vulnerability can quickly perpetuate throughout the organisation. In most cases, there’s no malicious intent involved. Code wasn’t deliberately written to compromise the organisation’s security posture; it’s usually the result of an innocent oversight.

Vulnerabilities text

In the age of DevOps, teams are now sharing and re-using code, libraries, and container images. Much of this has been developed without security in mind. This is why teams need to begin integrating security into the DevOps process.

The aim is to embed security into every part of the application lifecycle – development, build, and run time – thereby minimising vulnerabilities and bringing security closer to IT and the business’ overall objectives.

'During the blind rush to meet the needs of the business, the IT environment has become increasingly complex and siloed, putting the organisation’s evolution at risk.'2

My top 5 pieces of advice for combatting vulnerabilities

Here’s some guidance for businesses and cybersecurity professionals who’re on a journey to bolster their cybersecurity posture:

  1. Be honest with yourself about your current state of cyberpreparedness and vulnerability management capabilities.
  2. This is where it makes sense to enlist the services of an independent cybersecurity advisory partner to benchmark your organisation’s current state of cybermaturity, through the lens of the business’ overall strategic priorities.
  3. Gain consensus among your business and IT teams regarding where the most pressing challenges lie and how you’re going to address them.
  4. Formulate a plan and roadmap, which is business-ledrather than technology-driven ─ and identifies your immediate priorities, to move you from your current to your desired state.
  5. As you advance on your journey, continually re-evaluate your people, processes, and technologies to measure the progress you’re making, and to validate that the plan you’re implementing is still serving you well.

1 Cryptojacking (also known as coin mining, cryptomining, and cryptocurrency mining) is the illicit use of hijacked systems and CPU resources by cybercriminals to mine cryptocurrencies and generate revenue. 

2Digital Means Business Benchmark Report, Dimension Data, 2018

Recommended for you

How we can help you

Two people sitting in a meeting

Cybersecurity Advisory

Get the insights and action you need to improve your security posture

Read more
A person standing on a cliff with a starry sky

Managed Security Services

Management and optimisation of your security infrastructure to shield and protect your data and applications no matter where they reside.

Read more

Get the Executive Guide to the NTT Security 2019 Global Threat Intelligence Report

Australia

By clicking submit below, you are agreeing to the Dimension Data Terms and Conditions and Privacy Policy