120-day patching gap puts many firms at risk of cyber attack, study shows

Companies regularly leave vulnerabilities unpatched for longer than it takes attackers to exploit them, a study has revealed.

A study by risk and vulnerability software-as-a-service firm Kenna found that, despite the best intentions, most companies take an average of 100-120 days to remediate vulnerabilities.

According to the report, exploitation is almost guaranteed. The probability of a vulnerability being exploited hits 90% between 40-60 days after discovery. This means the length of time a company has to react before attackers strike is within 40-60 days of release for well-known vulnerabilities, the report said, which creates a remediation gap – or time that a vulnerability is most likely to be exploited before it is closed – of nearly 60 days. 

However, the study also found that many companies have critical vulnerabilities that go unpatched altogether, but remain popular targets for hackers. According to the report, this demonstrates that remediation is often prioritised by which vulnerabilities are top of mind for security teams, rather than by which vulnerabilities are most likely to be exploited or could cause the most damage.

Kenna analysed 50,000 organisations, 250 million vulnerabilities and more than one billion breach events from January 2014 to September 2015 in the study on the proliferation of non-targeted attacks and companies’ ability to mitigate these threats through the timely remediation of security vulnerabilities in their software and network devices.

According to the study report, non-targeted attacks pose a different challenge to businesses than the more widely publicised advanced persistent threats (APTs).  

Rather than targeting a specific company, non-targeted attacks attempt to exfiltrate valuable data from as many companies as possible, relying on automated tools and techniques to scale their attacks and exploit commonly found vulnerabilities. 

The much-publicised Heartbleed exploit is a good example of a non-targeted attack, the report said, due to the ease with which an attacker could exploit multiple targets at once. Kenna predicts around 5,000 successful exploitations of Heartbleed a day for October 2015.

The report notes that automated attacks are on the rise, with more than 1.2 billion successful exploits on record in 2015 to date, compared with just 220 million successful exploits recorded in 2013 and 2014 combined. 

“Breaches are on the rise, and companies of all sizes are at risk. The reason for this intensifying inflection is in part non-targeted attacks, which come at such scale that security teams can’t keep up with them,” the report said.

According to Kenna, the ease and speed at which hackers can conduct non-targeted attacks make them a ubiquitous threat to all companies. Kenna warns that businesses cannot rely solely on manual techniques to combat automated attacks, but should seek automated methods that use computational models and algorithms to prioritise remediation based on actual risk.

“The public has grown very familiar with hackers seeking out a specialised target, such as Ashley Madison, but automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, chief executive at Kenna.

“Every company has data hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers,” he said.

According to Toubba, throwing people at the problem is no longer sufficient for remediating vulnerabilities and combatting the sheer volume of automated attacks.

“Companies need defences that are as automated as the attacks that continue to hammer them – fixing vulnerabilities manually is no longer possible,” he said.

The report cites James Trainor, acting assistant director of the FBI’s cyber division, as saying that data breaches are up 400% in 2015 and the workforce for the cyber division needs to be doubled or tripled. According to a PwC report, there was an almost 100% increase in breaches year over year in 2014.

The report attributes this increase not to the sophistication of attacks themselves, but rather to the fact that attackers are getting better at automating attacks, resulting in an unprecedented volume of attacks, as well as volume of businesses exposed to these attacks.

Due to the inability of information security teams to match the pace of automated attacks, a significant gap has appeared in the time that critical vulnerabilities appear and the time it takes for security teams to fix those vulnerabilities, the report concludes.