This year we’ve seen the WannaCry and Petya attacks wreak havoc around the world, as well as high-profile data breaches like Equifax. It’s easy to get caught up in the news cycle, but they’re not the main threats security professionals should be focusing their attention on.
Vulnerabilities, and the exploitation of them, are still the root cause of most information security breaches today. Although not all breaches result from a vulnerability being exploited, most do. Within this majority, they also come from known vulnerabilities, rather than zero day attacks.
“ 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”
Zero day vulnerabilities made up only approximately 0.4% of vulnerabilities during the past decade. The amount spent on trying to detect them is out of kilter with the actual risks they pose. This is compared with the massive numbers of breaches and infections that come from a small number of known vulnerabilities that are being repeatedly exploited.
Craig Lawson, research vice president at Gartner, says it’s like worrying more about great white sharks than the humble mosquito – one consistently kills millions of people each year, while the other causes roughly the same amount of deaths as being struck by lightning.
“Are zero day attacks real? Absolutely. Are they the biggest issue for most organisations? No,” Lawson says. “The top issue in vulnerability management is that organizations aren’t prioritizing their patching and compensating controls to align to vulnerabilities targeted by threat actors.”
Organizations need to align their vulnerability management priorities with the biggest security threats. Although Gartner is seeing persistent and advanced threats, most threat actors don’t use overly sophisticated means to achieve their goals in most cases. Instead, they are leveraging known vulnerabilities more often than not to get the job done.
Deal with the elephant in the room first
Gartner believes that 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.
“If you deal with the biggest cause of breaches and data loss first, then you’ll have a better foundation to work on more difficult issues,” Lawson says. “Don’t stop continually inching toward improvements with a vulnerability management program, but it’s more critical to reduce attack surfaces by closing the biggest risks, which are the known vulnerabilities being exploited in the wild.”
The number of exploited vulnerabilities year over year for the last decade is actually flat, despite the number of breaches increasing and the number of threats appearing. Essentially, more security threats are leveraging the same small set of vulnerabilities.
Focus on vulnerabilities exploited in the wild
As a top priority, focus your efforts on patching the vulnerabilities that are being exploited in the wild or have competent compensating control(s) that can. This is an effective approach to risk mitigation and prevention, yet very few organization do this.
This prioritization reduces the number of vulnerabilities to deal with. This means you can put more effort into dealing with a smaller number of vulnerabilities for the greater benefit of your organization's security posture.