Vulnerabilities cause the majority of cybercrime. There are always new vulnerabilities appearing as software gets updated and as cyber criminals work behind the scenes to find new backdoors to organizations’ systems.
In the first half of 2022 alone, 81% of incidents happened through an external exposure — either a known vulnerability or a remote desktop protocol. The sheer volume of vulnerabilities grew again in 2022, with over 25,000 recorded, and over 800 have been actively exploited.
With ‘The Most Exploited Vulnerabilities of 2022’ we broke down the most impactful security flaws of the year, but the question remains of why vulnerabilities remain so persistent, and why, sometimes, they can wreak havoc on an organization months or even years after they’re uncovered.
What Makes Vulnerabilities So Dangerous?
Vulnerabilities can be sneaky, cyber criminals can discover them before organizations or software providers, and as businesses of all industries digitize, the sheer volume of vulnerabilities keeps growing. This increase can create massive risk for organizations, as every vulnerability is a potential unlocked backdoor into their environment for a threat actor to walk through.
The rise in vulnerabilities can be attributed to:
- More in-house resources dedicated to vulnerability research
- Growing attack surfaces due to more connected software
- Security researchers are more incentivized to find and report product vulnerabilities
But it’s not just the volume that spells danger for organizations. Some vulnerabilities are more critical than others, and while 2022 saw a decrease in overall criticality, there was still damage done. The Log4Shell vulnerability made headlines because the Log4j library—used to record user activity and the behavior of applications to review—is one of the most used libraries for logging and likely present in millions of java applications.
Why Do Vulnerabilities Remain Persistent?
If vulnerabilities are increasing because security researchers (or organizations) are finding them, then why aren’t they eliminated as fast as they’re found? There are four main reasons.
1. Programming Languages Can Create Flaws
There are a multitude of programming languages, and some can create more vulnerabilities than others. Memory safety (a safety feature of programming code) can begin to deteriorate if the code is used at a large, systems level. An increase in scale increases risk. In addition, human error still exists, and there’s always a chance that vulnerable code can ship. Plus, artificial intelligence programs, like ChatGPT, have been shown to ship more vulnerable code. It’s never safe to assume that software is shipping completely free of vulnerabilities.
2. Organizations Aren’t Patching All Vulnerabilities
Patching is easier said than done. There are a multitude of reasons an organization can’t patch every flaw, the main one being that based on staffing, criticality, and security goals, it just isn’t a realistic option. But when organizations fail to patch even the most pronounced and publicized vulnerabilities, they are inviting major risk. However, large, unpatched installation bases are why vulnerabilities continue to be exploited by threat actors. As evidenced by zero-day exploits, cyber criminals are consistently looking for those back doors.
3. Organizations Don’t Know Certain Software Vulnerabilities Exist
There are two ways in which an organization wouldn’t know that a flaw existed. One is it isn’t discovered until it’s actively being used by threat actors, often referred to as a zero-day exploit, or two, the organization lacks visibility into its own environment, especially at a micro level. Both are common problems. The Log4Shell vulnerability is a strong example of this. Not only was it exposed as a zero-day exploit, but many traditional scanners can’t even scan for Log4Shell.
In addition, it’s such a common piece of open-source software that many organizations weren’t even aware it was in their environment.
4. Many Organizations Rely on the Reputation of Software Providers
It’s easy to assume that the big players in software with strong reputations will keep your organization safe. However, larger software providers will naturally have more vulnerabilities because of the sheer volume of code being shipped and the threat actors trying to penetrate that software.
For example, the vulnerability CVE-2022-40684, one of the top ten this year, affected the FortiOS system. Cyber criminals have exploited Fortinet vulnerabilities in the past, showing that organizations need to stay on top of software updates and understand that a system can have multiple vulnerabilities as time progresses.
Instead of relying on reputation, organizations need to take proactive measures to patch, monitor, and stay up to date on potential vulnerabilities and updates by providers.
How Can Organizations Mitigate Software Vulnerability Risks?
The main takeaway is the vulnerabilities will continue to be an issue, so organizations need to take steps to better secure their environment and, if possible, prevent security exploits through active vulnerability management.
There are multiple ways organizations can put themselves in a better position when it comes to vulnerabilities, including:
- Host-based vulnerability scanning to patch and remediate severe risks.
- Regularly update software and patch software when patches become available
- Focus on vulnerability remediation and mitigation
Vulnerability management can be overwhelming for organizations to achieve solely in-house, especially as vulnerabilities grow in volume and organizations move toward a digital and cloud-first environment. Arctic Wolf® Managed Risk partners with your organization to enable you to discover, assess, and harden your security environment against digital risks.
Learn more about this year’s top vulnerabilities with The Most Exploited Vulnerabilities of 2022.