Companies Leave Themselves Exposed to Known Vulnerabilities

Cybersecurity is a perpetual back and forth between attackers and organizations. As companies put better security tools and practices in place, attackers adapt and develop new techniques to bypass those defenses. Rinse and repeat. Part of the challenge of staying one step ahead of attackers is to implement patches for known vulnerabilities before attackers can develop an exploit to take advantage of them, but research from Alert Logic found that 75 percent of the top 20 unpatched vulnerabilities present are more than a year old.

Known Vulnerabilities are an Unnecessary Risk

That is an alarming number. There is no such thing as perfect cybersecurity or an impervious network. New technologies are constantly being adopted and new vulnerabilities are constantly discovered, so companies are always exposed to at least some risk. However, a known vulnerability that has been publicly announced is a very different thing.

Consider it from the perspective of a house. You want to keep unauthorized people out of the house and protect the people and property inside, so you have locks on your doors and windows, and perhaps an alarm system and/or security cameras to monitor access. Now, imagine that a weakness is discovered in the locking mechanism for your windows. Leaving a known vulnerability unpatched is the equivalent of shining a spotlight on your flawed window with a neon sign that says “Burglars: Enter here!”

The Clock is Ticking Once the Vulnerability is Public

There are certainly cyber criminals and malware developers out there who can find their own vulnerabilities to exploit. We frequently hear about zero day exploits in the wild. It takes a level of knowledge, skill, and dedication, though, to put in the time and do the research to discover new vulnerabilities. Most attackers don’t have the patience or ability for that.

Once a vulnerability is identified and shared publicly, however, a race begins. Now that someone else has done the hard part of discovering the flaw attackers can focus on the vulnerable code to find ways to exploit it. When the vendor releases a patch for the vulnerability, attackers can often reverse-engineer the patch to get even more insight into what the vulnerability is and how it works, which enables them to develop a working exploit.

After a vulnerability is revealed publicly, the clock starts ticking. According to a study from 2017, the median time to develop a working exploit once a vulnerability has been discovered is 22 days. Organizations are in a race to implement the necessary patches find other ways to mitigate the risk from the vulnerability before the attackers develop a functional exploit.

75% of Top 20 Unpatched Vulnerabilities are Over a Year Old

Known vulnerabilities—vulnerabilities that have had a patch available for months—are very often the reason that attackers succeed in compromising companies. That’s why the research in the recent Alert Logic Critical Watch Report: SMB Threatscape 2019 are particularly concerning. According to the research shared in the report, 75% of the top 20 unpatched vulnerabilities present in the SMB space are more than a year old.

That’s 15 out of 20. 15 of the top 20 unpatched vulnerabilities have had a patch available for over a year. That means that organizations that have not implemented those patches have left the door open for attackers for probably at least 11 months.

As startling as that is, that is by far not the only issue SMBs—and even larger enterprises—face when it comes to cybersecurity. The report from Alert Logic reveals a number of other crucial takeaways, and provides tips and guidance to help companies address these challenges and get some peace of mind. Take a look at the full Alert Logic Critical Watch Report: SMB Threatscape 2019 for yourself.

About the Author

Tony Bradley - Senior Manager of Content Marketing for Alert Logic

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and DevOps.com. He has established a reputation for effective content marketing, and building and engaging a community and social media audience.

Connect | Email Me | More Posts by Tony Bradley