In Greek mythology, Achilles was a hero of the Trojan War, the greatest of all the Greek warriors. Achilles was invulnerable in his entire body except for one spot—his heel. Paris, who was not a brave warrior, ambushed Achilles as he entered Troy and shot his enemy with an arrow to the heel. Achilles died on the spot.
Today, the acceleration of business digitization has expanded the attack surface, increasing organizations’ vulnerabilities. Akin to Greek mythology, threat actors exploit these vulnerabilities to break into systems and disrupt them for financial gain.
Most of these vulnerabilities are in Internet-facing assets, so by simply scanning the assets or systems, threat actors can discover those that are vulnerable and therefore susceptible to attack.
What do we mean when we talk about vulnerabilities in the systems environment?
A vulnerability is a flaw or weakness in an IT system, security procedure, design, implementation, or internal control that could be exercised (accidentally triggered or intentionally exploited) and would result in a security event.
Keeping systems and applications up to date with security patches is one of the most critical tasks facing an IT department.
Two types of vulnerabilities pose a risk to organizations:
- A zero-day vulnerability in a system or device is a vulnerability that is exploited before the vendor discovers how to fix it. Typically, nation-state actors target these vulnerabilities.
- Unpatched vulnerabilities were the most prominent attack vectors exploited by ransomware groups and threat actors alike during 2021. There was a 33 percent increase in attacks caused by vulnerability exploitation of unpatched software in 2021, representing the cause of 44 percent of ransomware attacks.
These unpatched vulnerabilities pose a greater threat to organizations than zero-day vulnerabilities because nation-state actors and run-of-the-mill cybercriminals alike target organizations en masse.
But do these vulnerabilities pose a serious problem for organizations? What number of vulnerabilities do they face?
- The US-CERT Vulnerability Database recorded 18,376 vulnerabilities in 2021, an 11 percent increase from 2018.
- Attackers with few technical skills can exploit 90 percent of all vulnerabilities that were uncovered in 2021. Vulnerabilities that require no user interaction accounted for 61 percent of the total volume.
- Attackers routinely exploit 703 vulnerabilities.
Here are some examples of the consequences of exploiting a vulnerability:
- During 2019, a vulnerability where a patch or workaround was available but not implemented caused 60 percent of data breaches.
- At small and mid-size enterprises, 53 percent of vulnerabilities that led to ransomware attacks had a criticality level of medium or low, according to the Common Vulnerability Scoring System, suggesting that technical teams generally did not give priority to patching them.
As Greek mythology demonstrated with Achilles, it only takes one vulnerability for organizations to suffer major losses.
Here are some examples of cyberattacks that involved the exploitation of a vulnerability:
- Actors launched a ransomware attack on 233 German gas stations in January 2022. It is believed the attackers leveraged vulnerabilities in two software applications, Microsoft Exchange and Zoho AdShelf Service Plus1, causing a disruption that forced oil company Shell to reroute supplies to different depots.
- The SolarWinds ransomware attack in 2021 was massive and the most sophisticated cyberattack ever, according to Microsoft’s president. Although it was mainly a software supply chain attack that affected more than 18,000 companies worldwide, forensic experts revealed that actors exploited a vulnerability (CVE-2019-8917) on a second phase of the attack.
- The WannaCry ransomware attack in 2017 was the first worldwide cyberattack that proved how devastating ransomware can get. Attackers exploited a Windows vulnerability (CVE-2017-0144), hitting around 230,000 computers globally. The attack is estimated to have caused $4 billion in losses across the globe.
Why are there are so many vulnerabilities unpatched, ultimately increasing the organization’s risk?
According to IT operational teams:
- The high volume of vulnerabilities they face and lack of resources make it difficult to keep up to date in the application of patches.
- Lack of visibility into all affected assets and the relevance of those assets to the business creates difficulty in prioritizing what needs to be patched.
- Coordination with other areas to deploy a solution usually takes an average of 12 extra days, increasing risks and costs.
According to business units:
- An efficient and effective vulnerability patching process requires investing time and resources that do not generate value because it can cause the business to have a service interruption during the remediation process.
- The lack of strategies in the vulnerability management process causes an annual cost increase of 21 percent in large organizations.
Strategies for the vulnerability management process therefore must evolve from a reactive to a proactive approach. Consider the following factors, as appropriate, for your institution:
- Prioritize patching based on the criticality rating of the vulnerability or proactively patch the vulnerabilities that threat actors are actively exploiting, according to CISA Known Exploited Vulnerabilities. Vulnerabilities cited in the previous list, and found in Internet-facing assets, ideally should be fixed within 24 hours.
- Use process automation to increase efficiency. Tools such as SOAR (Security Orchestration, Automation, and Response) can help in this effort.
- Inventory all hardware and software assets to help improve asset visualization and associated vulnerabilities.
- Increase the frequency of proactive asset scanning.
- Raise awareness among business units of the importance of this process to prevent cyberattacks.
Vanessa Alvarez Colina is a cyber risk advisor at AIG.
1Ransomware Report 2022, CSW, Cyware, ivanti. Page 3. Available from https://go.cyware.com/ransomware-spotlight-report-2022.
2 “X-Force Threat Intelligence Index 2022,” IBM Security. Page 5. Available from https://www.ibm.com/security/data-breach/threat-intelligence.
3 NIST National Vulnerability Database, available from https://nvd.nist.gov/vuln/search.
4 “Redscan analysis of NIST NVD reveals record number of vulnerabilities in 2021.” Available from https://www.redscan.com/news/nist-nvd-analysis-2021-record-vulnerabilities.
5 “Known Exploited Vulnerabilities Catalog,” Cybersecurity & Infrastructure Security Agency. As of 5/17/2022. Available from https://www.cisa.gov/known-exploited-vulnerabilities-catalog.
6 “60% of Breaches in 2019 Involved Unpatched Vulnerabilities,” Security Boulevard. Available from https://securityboulevard.com/2019/10/60-of-breaches-in-2019-involved-unpatched-vulnerabilities.
7 “Fighting Ransomware in Midsize Enterprises,” Gartner. Page 32. Available from https://assets-powerstores-com.s3.amazonaws.com/data/org/20033/media/doc/fighting_ransomware_in_midsize_enterprises_1599854885962001fhcn-27ca74171efdffa22118ab56d1cc6514.pdf.
8 “BlackCat ransomware implicated in attack on German oil companies,” ZDNet. Available from https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies.
9 “SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president,” Reuters. Available from https://www.reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R.
10 “A second hacking group has targeted SolarWinds systems,” ZDNet. Available from https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems.
11 “Ransomware WannaCry: All you need to know,” Kaspersky. Available from https://www.kaspersky.co.uk/resource-center/threats/ransomware-wannacry.
12 “Costs and Consequences of Gaps in Vulnerability Response,” Ponemon Institute. Page 4. Available from https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf.
13 “Costs and Consequences of Gaps in Vulnerability Response,” Ponemon Institute. Page 5. Available from https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf.
Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.