Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Neglect These 'Second-Tier' Vulnerabilities at Your Own Risk

By now you should be familiar with the "mega" vulnerabilities that were assigned splashy monikers over the past 15 months, a trend that previously had been reserved for dangerous malware and successful exploit groups.

In some cases, this new branding strategy was well thought out (and complete with logos of bleeding hearts), while in others, the name for the famous flaw just kind of stuck. Regardless, these naming exercises are genuinely significant because they attract widespread attention for serious digital risks.

But also important to keep in mind: For every Heartbleed, Shellshock and POODLE, there are thousands of other vulnerabilities that are anything but household names - yet perhaps they should be.

The 2015 Trustwave Global Security Report, released last month, offers valuable insight into the vulnerabilities that have placed organizations across the world at risk. The report covers the "celebrity" examples, but also devotes ample real estate to the less heralded weaknesses. And for good reason. As the report notes: "Sophisticated attackers prefer their vulnerabilities with a little less fanfare." In fact, in the fourth quarter of 2014, of the vulnerabilities identified in host-based scans performed by Trustwave, fewer than 1 percent were Heartbleed. The same went for Shellshock.

So which vulnerabilities are we most often spotting? Here are two categories of vulnerabilities that have experienced massive exploitation in recent months, but probably didn't make the evening news.

The zero-days

Trustwave researchers in 2014 tallied 22 "high-profile" zero-day vulnerabilities, for which no patch or anti-virus signature was available at the time of discovery. That makes them far more threatening to the average organization. In many cases, these bugs affect common software that businesses use every day.

Of the 22 zero-days, 10 affected Microsoft products and five impacted Adobe, with four of those five involving Flash. Flash is a big-time target due to its widespread use and ease of exploitation - enough so that one prominent security journalist recently chronicled his experience in going one month without using the software. And just this week, potentially several Flash zero-day vulnerabilities have emerged as part of a data dump.

The primary purpose of zero-day vulnerabilities is to fly under the radar. Once these defects become known to the security community at large, they become far less valuable. As such, most zero-day exploits are used sparingly and on specific, high-value targets. However, in some cases, zero-days are included in exploit kits, a thriving trade on the criminal underground.

The known but unpatched

A second class of vulnerability that organizations should fret over are weaknesses that have been patched, but which attackers are still widely exploiting because businesses have been tardy to apply fixes.

For that, we turned to our internal and external network vulnerability scanners, which observed years-old vulnerabilities, such as RC4 weak ciphers, that result in insecure server configurations for Secure Socket Layer (SSL) and Transmission Layer Security (TLS).

While SSL certificates themselves aren't the problem, organizations must cease supporting outdated and vulnerable SSL/TLS protocols on web servers and other services - the same guidance that the PCI Security Standards Council just issued to businesses handling credit and debit cards.

(For a full rundown of the vulnerabilities referenced above and their specific CVE numbers, check out the 2015 Trustwave Global Security Report).

What to do?

Oftentimes, zero-day exploits make it through and patches are missed because an organization lacks the requisite in-house skills or headcount to keep up. The bottom line is that companies commonly run so many systems with potential holes that they require assistance in the form of managed vulnerability scanning and deep-dive pen testing across their IT inventory of databases, networks and applications. And they should consider combining this testing with a managed service that addresses malware, zero-day vulnerabilities and blended threats in real time.

Among other things, managed security services providers (MSSPs) can help strained businesses cover more threat vectors, respond to emerging threats faster and keep systems more up to date.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Trustwave MailMarshal Unveils Major Upgrades to Combat New Email Security Threats

Trustwave MailMarshal will receive a massive upgrade on March 28 that will add four new levels of functionality, including an improved dashboard interface, the ability to detect and halt malicious QR...

Read More

Unveiling the Latest Ransomware Threats Targeting the Casino and Entertainment Industry

Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are...

Read More

Third-Party Risk: How MDR Offers Relief as Security Threats Abound

While third-party products and services are crucial to everyday business operations for almost any company, they also present significant security concerns, as high-profile attacks including...

Read More