HP’s 2014 Cyber Risk Report has arrived, and we’re happy about it. Here is one of the more noteworthy stats – a surprisingly large number of breaches (44%) are carried out using vulnerabilities that are two to four years old. In other words, while the advanced, persistent zero-days that media headlines love are real and credible threats, they should by no means dominate your security strategy and investment.
This is especially interesting when considering the purchasing behaviors of security buyers in recent years – the enterprise has developed, in Anton Chuvakin’s words, an acute “vendor-marketing-infused interest” to defend against advanced, well-funded, and targeted attacks. But here’s the punch line – many of these organizations can barely hold their own against basic, commodity attacks, and they most likely aren’t investing in changing that.
The HP Cyber Risk Report also says that each of the top ten vulnerabilities exploited in 2014 “took advantage of code written years or even decades ago.” This means that companies are unnecessarily exposing themselves to security threats that have been present and known for years, mostly because shiny, silver bullet technologies are monopolizing security buyers’ attention and budgets.
The lesson here is simple – organizations need to focus more on the fundamentals of security maturity rather than chasing high-maturity defense tools. This is likely the only way organizations can eliminate the significant risk associated with underdeveloped security basics. Think of it this way; a casual attacker will use the less sophisticated, easier attack method before offering the time, training and money it takes to craft an advanced and targeted threat (every time!). This is why it makes sense to design your security strategy to optimize against these behaviors.
So, the goal here is not about getting back to solid security basics but actually achieving them for the first time.
The good news is there are proactive ways to get these known vulnerability breaches (remember, the 44%) closer to zero. Art Gilliland, an HP Enterprise Security executive, says building out a blend of layered security defenses, continuous and scalable penetration testing, efficient threat intelligence sharing, and a well thought out strategy for introducing new technologies to your stack can seal the gaps that expose you to known vulnerabilities.
This is the part where we give ourselves a little credit – Synack is a great example of what it means to execute very well against security basics. Synack takes the traditional practice of penetration testing to the next level; we harness and enable the brainpower of the best security researchers from all over the world to provide you with an adversarial view of your IT environment, so that you can see the gaps…and fix them. To learn more about the Synack Red Team, check us out here.