Patching. Patching. And More Patching.
Does it feel like you (or your company) are always applying patches? Do the security vulnerabilities feel like they are always the same? As a Vulnerability Management professional, do you have a good mechanism to prioritize the vulnerabilities?
Researchers at Recorded Future recently published their top ten list of security vulnerabilities most exploited by hackers in 2018 to help you with that prioritization. Their analysis is based on metadata from open, deep, and dark web sources. They found that most often exploits were delivered through phishing, automated exploit kits, or RATs (remote access Trojans). A RAT is a piece of malware that includes a back door, allowing attackers administrative control over the computer in which it is installed.
Before we share their list, we asked our own audience to choose the security vulnerability that is most exploited by hackers. With a resounding 40% of the vote, Adobe Flash Player took the top spot. This is hardly surprising as Adobe stopped updating the Flash Player back in 2017 (with all major browsers working towards removing it), and announced a retirement date of December 2020.
Our audience’s top spot was almost in alignment with Recorded Future’s. They listed Adobe Flash Player as the second most popular attack avenue. Let’s take a deep look at the rest of the top ten.
The Top Ten
In Recorded Future’s Annual Vulnerability Report, they listed the top ten most commonly exploited vulnerabilities in 2018 as:
- CVE-2018-8174 – Microsoft
- CVE-2018-4878 – Adobe
- CVE-2017-11882 – Microsoft
- CVE-2017-8750 – Microsoft
- CVE-2017-0199 – Microsoft
- CVE-2016-0189 – Microsoft
- CVE-2017-8570 – Microsoft
- CVE-2018-8373 – Microsoft
- CVE-2012-0158 – Microsoft
- CVE-2015-1805 – Google Android
Should we read into Microsoft holding 8 of the top 10 spots that its software is more vulnerable? Not necessarily. In 2018, Microsoft is reported as having a 60%+ OS market share so it stands to reason that Microsoft is what most targets have running on their computers and thus, highly exploited by threat actors. In reviewing the 2017 list, Microsoft held 7/10 on that list so it’s up one in 2018.
What’s a Company To Do?
Since abandoning Microsoft software isn’t practice for an organization, enterprises can combat vulnerabilities in a few distinct ways:
- User awareness training helps all users understand how to best protect themselves and the organization’s systems by recognizing phishing attempts and being mindful of computer and password security.
- Practitioner training to ensure that all members of the team have a clear understanding of vulnerabilities and patching needs as well as specific and on-going training for vulnerability management specialists. This ensures that vulnerabilities are being identified.
- With a constantly evolving threat landscape and an innumerable number of alerts, organizations need to choose their battles and decide what to manage first.
- Patching and Remediation
- Best practices dictate patching on a regular basis — some have a weekly schedule, some monthly, some on a rolling schedule, but all ensure coverage of hardware, software, and mobile devices.
Vulnerability Management Role in Your Future?
Interested in a future in vulnerability management? A Vulnerability Management team member is responsible for finding existing vulnerabilities, determining how critical those vulnerabilities are, developing a remediation plan, and setting up a continuous scanning schedule plus all of the work that goes into future-proofing. Vulnerability Management includes correcting any vulnerabilities, thereby decreasing the likelihood that a threat actor can access the organization’s network. Learn more about the role here.
If you’re looking to position yourself for success in vulnerability management then make sure you are as marketable as possible. In addition to interest, aptitude, and experience, ensure you have a cert (or two) to help differentiate yourself from other candidates. Each of the following certifications covers curriculum that includes vulnerability management.
- Cybersecurity Analyst+
- CASP – Advanced Security Practitioner
- CFR – CyberSec First Responder
- CND – Certified Network Defender
Need some help with these or other certification test preparation? We’re here to help! And meanwhile, get those patches up to date!