Exploit Wednesday Strikes Again

A few days ago Symantec reported a Word exploit in the wild just one day after Microsoft released the patch for the corresponding vulnerability. Rather unusually it was created using Word for Macintosh. Yet just a few months back McAfee claimed that “Exploit Wednesday” was a myth, pointing out that hackers simply don’t stockpile exploits waiting for the release of a patch. Perhaps they do. Or perhaps vendors have taken to stockpiling announcements.

But arguing about the current motives and habits of hackers is beside the point. The threat changes all the time. It can go up or down in any month The real trend to note is that our exposure continues to get worse. Exploits are increasingly likely to strike before you get a roll out your patches. And the consequence is that we need to tighten up security around critical applications and infrastructure. Baseline security measures are no longer sufficient to protect valuable corporate assets. Organisations must identify, prioritise and place additional layers of security around their Crown Jewels. Because corporate infrastructures are becoming as open to attacks as the Internet itself.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I whole heartedly agree with focusing on the corporate Crown Jewels and no one would argue that the Crown Jewels don't need additional layers of protection. However, experience tells me that the threat doesn't necessarily go for the biggest and juicest prize. Why strain to reach the biggest ripest fruit at the top of the tree when you can expend less energy by picking the lowest hanging fruit? Sure, the lowest hanging fruit might not be exactly what you're after, but you sure can pick a whole lot more of it! Bringing this back into the corporate world, it might be much easier to go and gather lots of small innocuous pieces of information (that are not/less well protected) that paint the same picture as the Crown Jewels (or newly formed marketing strategy, corporate takeover plans, buyout schedule or whatever). My point is that there's so much low level information that organisations inadvertently publish why bother going for the heavily protected stuff? What about enforcing baseline security for the low level corporate assets? And I'm assuming that a lot of information that people feel doesn't have any value will have value to someone operating in a particular context. We're doomed! ;-)