Page 24 - Cyber Warnings
P. 24
Cyber Risk: The Nitty Gritty on Today’s Threat Landscape
Known Vulnerabilities and Increasing Sophistication of Adversaries Place
Organizations at Risk
by Dustin Childs, Senior Security Content Developer, HPE Security Research at Hewlett Packard
Enterprise
The security threat landscape continues to evolve as attackers advance their techniques, shift
their targets from the perimeter to applications, and increasingly focus on the monetary gain of
malware. At the same time, enterprises are still not patching existing vulnerabilities with enough
prowess to prevent easy entry points for adversaries. The annual HPE Cyber Risk Report
provides detailed insight into the changing threat and vulnerability landscape, as well as how
enterprises must meet both exisiting and new challenges. Here are a few of the key themes
from the report.
1. We learned nothing about patching
One item that stands out in the current report is the most successfully exploited vulnerability in
2015. The number one exploit now clocks in at five years old – and it was 2014’s number one
exploit as well. This is despite the vulnerability, a Stuxnet infection vector (CVE-2010-2568),
having received two separate patches from the vendor. This is especially concerning as
attackers will typically focus on known vulnerabilities first, since they provide the easiest entry
point. Applying patches in an enterprise is not as simple as it seems, and can be complex and
costly – especially when problems occur. While the past year saw a record number of patches
from both Microsoft and Adobe, they do little good if they are not installed by the end user. The
most common explanation given by those who disable automatic updates or fail to install
patches is that they break things. Vendors must do more to reestablish the trust in patches.
Without this trust, enterprises will remain wary of installing patches out of a fear of what might
break.
While installing point-fix patches remains vital in protecting users and networks, it also might not
be sustainable at current volumes. However, one positive trend is the shift from point-fixes to
broad impact solutions. Instead of releasing patches to fix many different vulnerabilities, these
defensive measures take out an entire class of attacks – at least for some period of time. For
example, the past year saw the inclusion of use-after-free protections in Microsoft browsers
Internet Explorer and Edge, which provided wide-reaching fixes to disrupt attacks in an
asymmetric fashion. Other vendors would do well to consider implementing similar strategies to
disrupt classes of attacks. The attack surface reduction provided by patching and other security-
related fixes can be far reaching.
2. The monetization of malware
Just as the marketplace grows for vulnerabilities, malware in 2015 took on a new focus. In
today’s world, malware needs to produce revenue, not just be disruptive. This has led to an
24 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
