Patch, patch, and patch again. This mantra has been repeated by security experts over and over again as one of the most low-effort and low-cost ways to secure your systems against security threats. However, a new study seems to indicate that this piece of advice by the security community to businesses seems to be falling on deaf ears.
According to the 2021 Trustwave SpiderLabs Telemetry Report by , up to 50% of scanned servers have compromised security due to not installing and properly implementing a patch for weeks or months after it has been officially released.
Researchers used information published by the NVD (National Vulnerability Database) on CVEs (Common Vulnerabilities and Exploitations) to run scans on thousands of servers using the Shodan search engine.
They found that roughly 18,352 security flaws were reported in 2020 alone, a 6% increase from 2019. Security flaws have been on the rise since 2016 when it stood at 6,447 – a staggering 184.66% increase.
As of 1 September 2021, the total vulnerabilities reported stood at ~13,000 which is more than the ~12,000 detected by the same time last year. So, it seems like the trend is not about to reverse.
The more shocking statistics is that the majority of these incidents are medium-to-high severity. Only 16% were categorized as “low” severity with 20% high-severity vulnerabilities.
Successfully exploited high-severity vulnerabilities can cause significant harm to organizations and their users. It can lead to large-scale data breaches, access to vulnerable systems and data which can cut off access to information or processing resources, or even remote code execution in which an attacker can take full control of the target system.
A few CVEs seemed to stand out. Of particular concern are multiple vulnerabilities associated with Microsoft Exchange Server (aka ProxyShell and ProxyToken). These include CVEs CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, and CVE-2021-33766.
In 2021, there have been numerous high-profile incidents regarding vulnerabilities affecting Microsoft Exchange Server and its range of associated applications. Of 45,000 instances scanned, 4.3% of the targets had RDP enabled and 1% had SMBv1.
Oracle Weblogic Server Remote Code Execution (RCE) Vulnerability (CVE-2021-2109) and Vmware vCenter Multiple Vulnerabilities (CVE-2021-21985 and CVE-2021-21986) showed a remarkable high rate of incidence until as recently as August/July 2021. Vulnerabilities affecting Tomcat and QNAS were also highly prevalent.
But, why is patching so important?
First of all, there is no such thing as a 100% secure piece of software. Even software released 10 years ago might still have some hidden security flaw that has either not been discovered by its creators, security testers, or threat actors or that has emerged due to the evolving ecosystem and technologies surrounding that software.
Even new updates or security patches may inadvertently introduce a brand new vulnerability that has not existed before. The point is that our software today is so sophisticated, complex, and evolves so quickly that it’s impossible to say, with certainty, that no possible exploitations exist in a specific version.
Secondly, patching often happens as a result of a successful zero-day exploit or a security advisory/alert. A zero-day exploit is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of.
According to the Ponemon Institute, 80% of successful breaches are 0-day attacks. The risk of a particular vulnerability being exploited only increases the longer it goes unaddressed.
Once a zero-day exploit is revealed to the public, either because of a successful attack or the efforts of security testers, bug bounty hunters, etc. it can freely be exploited by various threat actors until patches are released by vendors and installed by software owners.
Regardless, the patch notes themselves typically spell out which security vulnerability is being addressed. So, software users will want to implement that patch as quickly as possible to avoid leaving their systems vulnerable a second longer. If the above mentioned study is any indication, we still have a long way to go in engendering proper security practices as a matter of course across the business landscape.
Sources:
2021 Trustwave SpiderLabs Telemetry Report
