Companies are leaving vulnerabilities unpatched for up to 120 days leaving them open to untargeted attacks, according to the findings of a new report.
Risk and vulnerability intelligence platform Kenna analysed 50,000 organisations, 250 million vulnerabilities, and over one billion breach events from January 2014 to September 2015, and found that companies are regularly leaving vulnerabilities open for longer than it takes attackers to exploit them.
Unlike more widely publicised advanced persistent threats, non-targeted attacks pose a different challenge for security organisations. Rather than targeting a specific company, attackers attempt to steal valuable data from as many companies as possible, relying on automated tools and techniques to scale their attacks and exploit commonly found vulnerabilities. The recent discovery of the Heartbleed vulnerability in OpenSSL brought this to the forefront as a threat that exploited multiple targets at once.
"The public has grown plenty familiar with hacker seeking out a specialised target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes," says Karim Toubba, CEO of Kenna. "Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers".
Among the report's findings are that automated attacks are on the rise with over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits in 2013 and 2014 combined - an increase of 445 per cent.
Despite their best intentions, most companies take an average of 100-120 days to fix found vulnerabilities. However, many companies have critical vulnerabilities that go unpatched altogether. The probability of a vulnerability being exploited hits 90 per cent between 40-60 days after discovery, indicating that the length of time a company takes to react to vulnerabilities before attackers strike is critical. This creates a 'remediation gap', or time that any vulnerability is most likely to be exploited before it is close, of nearly 60 days.
"Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combatting the sheer volume of automated attacks," adds Toubba. "They need solutions that are as automated as the attacks that continue to hammer them - fixing vulnerabilities manually is no longer possible in the 'new normal'".
You can read more in the full report which is available to download from the Kenna website.