Legacy vulnerabilities remain a real problem for businesses and organizations around the world. A recent report revealed the most Googled cyber threats and vulnerabilities over the past five years, and it was notable that legacy vulnerabilities account for a very large number of the searches.
When legacy vulnerabilities are not patched, they can be exploited by hackers to obtain an easy way into systems and applications.
In this article, we will take a look at five legacy vulnerabilities that many organizations, including your own, may not yet have patched.
Heartbleed was discovered in 2014—and yet six years later is still a problem. It is a code flaw in the popular cryptography library OpenSSL; a resource for developers with tools and information that allows the implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Websites, emails, and VPNs rely on these SSL and TLS protocols for security and privacy of communication, and at the time the vulnerability was discovered, all applications with OpenSSL components were exposed. This meant that, initially, 17 percent of all SSL servers globally were vulnerable.
Several years later, the analysis showed that 200,000 devices were still vulnerable to Heartbleed. Even now it can still be found in applications, systems, and devices, despite the fact that it can be fixed by upgrading to the latest version of OpenSSL.
Also found in 2014, the Shellshock vulnerability is now known to have existed for more than two decades—and continues to be used against unpatched Unix, Linux, and macOS servers in order to conduct powerful and damaging attacks. The bug can be exploited by cybercriminals in order to execute everything from malware and data exfiltration to distributed denial of service (DDoS) attacks.
An initial fix was released for Shellshock, however unbeknown to many organizations, it proved ineffective, and it is still very much a problem for businesses today. This is especially true because it requires only a basic level of programming skills in order to exploit it. However, a revised patch that deals effectively with the issue has been available for a long time.
But Shellshock remains a problem today. The ongoing cyber threat campaign known as ‘Sea Turtle’—which abuses DNS records in order to gain access to sensitive systems—initially achieves access through a number of common vulnerabilities, one of which is Shellshock. Like Heartbleed, the vulnerability is also being used to compromise organisations running applications in Docker containers.
WannaCry is one of the most well-publicized cyber-attacks ever. This self-spreading ransomware made headlines as it caused disruption to businesses and organizations around the world. A new analysis has revealed the true cost of the 2017 WannaCry cyber-attack on NHS hospitals in England to be almost £6 million.
The ransomware was able to spread by exploiting the EternalBlue vulnerability in Microsoft’s Windows operating system.
Interestingly, this attack was a legacy issue even before it hit the headlines. A patch was available for the vulnerability for more than two months before it caused all the trouble. It was only the fact that many organizations had failed to keep their systems up to date that the attack was able to be so effective. And yet, even today WannaCry remains a problem.
4 & 5. Spectre and Meltdown
These are both types of hardware vulnerabilities with a number of different variants and emerged in early 2018. Spectre allows the reading of arbitrary locations in the memory of a program. Meltdown allows a process to read all of the memory in a system.
Cybercriminals can use Meltdown and Spectre to bypass security for a full range of devices including Internet of Things (IoT) devices, as well as computers and smartphones. They can then be used to read protected aspects of the system which could allow access to passwords and encryption keys.
How to check if your business is vulnerable
Protecting your business against both new and legacy vulnerabilities can be a challenge—but it is one that you need to take seriously. As cybercrime becomes more prevalent, the onus is on businesses to ensure that they have controls and processes in place to minimize the risk of attacks.
“With threats continuing to grow in both volume and sophistication, performing a pen test to understand how an attacker might breach your business’ defences and the appropriate action needed to address the risk is an important part of effective cyber security.” (Redscan)
Patching can be labor and time-intensive, but it is fundamental to maintaining a high standard of cyber hygiene. To secure your business, you need to make sure your organization has a strong patch management policy, runs vulnerability assessments and commissions regular penetration tests to help identify systems and applications that are at risk.
|Chester Avey has over a decade of experience in business growth management and cyber security. He enjoys sharing his knowledge with other like-minded professionals through his writing. Find out what else Chester has been up to on Twitter: @Chester15611376.|