Experts from Kaspersky Lab and Outpost24 recently carried out a security audit at a number of European organisations and studied the prevalence of un-patched vulnerabilities globally to get a better understanding of the IT (in) security landscape.
Their joint report illustrates that even unsophisticated attacks on corporate networks can succeed without expensive zero-day exploits. Though the number of zero-day attacks is on the rise, cybercriminals still make extensive use of known vulnerabilities. This is hardly surprising considering it takes the average company 60-70 days to fix a vulnerability – enough time for attackers to gain access to a corporate network. The expert team’s security audit also revealed there is no need for cybercriminals to hack a corporate system; they simply need to ‘hack’ the people that manage the system.
A common baseline is for all critical vulnerabilities to be resolved within three months. But 77% of the threats that passed this three-month deadline were still present a full year after being discovered. The Kaspersky Lab and Outpost24 joint research team collected data on vulnerabilities dating back to 2010, and found systems that had been vulnerable for the past three years. These un-patched vulnerabilities are considered critical due to the ease with which they can be exploited and the impact they can have.
Interestingly, there were even some corporate systems that had remained un-patched for a decade despite the fact that the companies were paying for a special service to monitor their security.
After collecting the data with the Outpost24 team, Kaspersky Lab’s senior security researcher David Jacoby decided to carry out a social engineering experiment to see how easy it was to insert a USB drive into computers at government institutions, hotels and privately owned companies. Dressed in a smart suit and armed with a USB stick containing only a PDF of his resume, David asked front desk staff at 11 organisations if they could help him print out a document for an appointment at a completely unrelated venue.
The sample group in this security audit included three hotels from different chains, six government organisations and two large privately owned companies. Computers at government bodies typically store sensitive information about citizens, while those at major private companies most likely contain network connections to other companies, and five-star hotels are places where diplomats, politicians and C-level executives stay when traveling.
Only one hotel agreed to connect David’s stick to their computer; the other two refused. The privately owned companies also declined his request. Out of the six government organisations visited, four actually did help David by inserting the USB stick into a computer. In two cases the USB port was disabled, so the staff asked him to send the file via email instead, providing ample scope to exploit vulnerabilities in PDF software.
“What is really surprising is that the hotels and privately owned companies had greater awareness and security than the government organisations. From this firsthand experience it is fair to conclude that there is a real problem. The security audit we performed is relevant for any country because that gap between the moment a vulnerability is detected and the moment it’s patched exists everywhere, in every country. The result of my USB stick experiment is also a wake-up call for those searching for tailored security solutions that cover the ‘threats of tomorrow’ – it highlighted that training your staff to be prudent is just as important!” commented David Jacoby, Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab.
“It a shame to see companies wasting valuable resources on potential threats of tomorrow, when they are still failing to solve the threats of today and yesterday,” says Martin Jartelius, Chief Security Officer of Outpost24. “Whether it’s exploiting poor security practices, misconfigured security devices or staff that lacks security training, companies should understand that it is possible to gain control of most parts of the organisation, even though no new attacks or methods are used. It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes.”