According to a joint report from Kaspersky and Outposts24 reveals that although the number of zero-day attacks is on the rise, cybercriminals still make extensive use of known vulnerabilities.
David Jacoby, Kaspersky Senior Security Researcher, Global Research & Analysis Team, says there is no need for cybercriminals to hack a corporate system, “they simply need to ‘hack’ the people that manage the system.”
According to the two companies, a common baseline is for all critical vulnerabilities to be resolved within three months, but the study, however, found 77% of the threats that passed the three-month deadline were still present a full year after being discovered.
Jacoby said the unpatched vulnerabilities were considered critical due to the ease with which they could be exploited and the impact they could have. And, the study found some corporate systems had remained unpatched for a decade despite the fact that the companies were paying for a special service to monitor their security.
After collecting the data with the Outpost24 team, Jacoby carried out a social engineering experiment to see how easy it was to insert a USB drive into computers at government institutions, privately owned companies, and hotels.
“What is really surprising is that the hotels and privately owned companies had greater awareness and security than the government organisations. The results are a wake-up call for those searching for tailored security solutions that cover the ‘threats of tomorrow’ – it highlighted that training your staff to be prudent is just as important.”
Outposts24 Chief Security Officer, Martin Jartelius said the security audit performed was relevant globally because the gap between the moment a vulnerability is detected and the moment it’s patched is almost uniform in every country.”
“Whether it’s exploiting poor security practices, misconfigured security devices or staff that lack security training, companies should understand that it is possible to gain control of most parts of the organisation, even though no new attacks or methods are used.
“It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes,” Jartelius concluded.