A recent report suggests that focusing too much on new security threats might make companies overlook older, more commonly exploited vulnerabilities.
The report by TrustWave is based on data from over 1,900 penetration tests and more than 200 data breach investigations for clients like American Express, MasterCard, Discover, Visa, and several large retailers.
The analysis shows that major global companies are hiring "vulnerability chasers" who look for the latest vulnerabilities and zero-day threats while ignoring the most common ones.
As a result, companies are being compromised by old, well-known vulnerabilities rather than new attack methods. For example, the top three ways hackers accessed corporate networks in 2009 were through remote access applications, trusted internal network connections, and SQL injection attacks. These attack methods have been well-known for years. SQL injection vulnerabilities, for instance, have been known for at least 10 years but are still common in web-based, database-driven applications.
The most common vulnerability found in TrustWave's external network penetration tests involved the management interfaces for web application engines like Websphere and Cold Fusion. In many cases, these interfaces were directly accessible from the Internet and had little or no password protection, allowing attackers to deploy malicious applications on the web server.
Another common vulnerability involved unprotected network infrastructure components like routers, switches, and VPN concentrators. Many companies also hosted internal applications on the same server as external content, leading to misconfigured firewall rules, default or easy-to-guess passwords, and DNS cache poisoning.
TrustWave's wireless penetration tests revealed common weaknesses such as the continued use of WEP encryption, old 802.11 networks with minimal security, and wireless clients using public "guest" networks instead of secured private networks.
In almost all cases, the vulnerabilities discovered by TrustWave were well-known issues that should have been fixed long ago, said Nicholas Percoco, senior vice president at TrustWave's SpiderLabs research unit.
"There are basically two themes," Percoco said. "First, we found some very old vulnerabilities within enterprises, some as old as 20 to 30 years. Second, attackers are targeting these old flaws to break into enterprises, then using sophisticated tools to harvest data."
Malicious attackers are increasingly using tools like memory parsers and credentialed malware to steal data, Percoco said. Memory parsers monitor the random access memory associated with a process to extract specific data. Credentialed malware programs are multi-user programs used to steal money and payment card numbers from ATMs.
To reduce the risks from older vulnerabilities, TrustWave recommends several measures. Companies should maintain a complete asset inventory because many are unaware of all their IT assets and the risks they pose. Decommissioning older legacy systems can also help. Additionally, in 80% of the cases TrustWave examined, third-parties were responsible for introducing vulnerabilities. Therefore, monitoring third-party relationships is crucial. Other recommended measures include internal network segmentation, data encryption, and stronger Wi-Fi security policies.
