The number of vulnerabilities that organizations can confront are so many that if you’re not in the business of security or dealing with security matters, it can come as a bit of a shocker. Furthermore, the types of vulnerabilities can also be foreign territory for those who haven’t had extensive experience in the field. It is for this very lack of knowledge and expertise that so many businesses find themselves at a loss in tracking, as well as minimizing their security risks.
A recent study by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) shows just how many vulnerabilities can be lurking about and it also lists some of the most common types of vulnerabilities that organizations can expect to face. Knowing the types of vulnerabilities can actually help organizations to understand what they can do to reduce at least some of their risks. Let’s start with the number of vulnerabilities first.
The ICS-CERT’s annual vulnerability coordination report for 2015 revealed that a total of 427 vulnerabilities were reported. This number is almost double the vulnerabilities from those reported in 2014, which were 245. Some not too bad news from the report was the decrease in security holes classified as high severity. For 2015, 43% of the security holes reported were rated as high severity, while in 2014 that number was at 70%. When it comes to most industries affected, the report found the energy sector to top the chart with more than 800 vulnerabilities reported since 2011. The industries that followed were critical manufacturing with over 700 flaws, and next in line the water and wastewater systems sector with over 600 bugs.
As for the types of vulnerabilities discovered, the report found that 27% of them were related to permissions, privileges and access control; 25% were due to improper input validation, 19% were because of credentials management, 12% improper control of a resource, 11% cryptography, and 6% poor quality coding. The fact that permission, privileges and access control topped the list is concerning, but not surprising when you think about the dangers of insider threat.
Insider threat isn’t something new and it’s been highly discussed how attackers are targeting executives who have a high level of access to a company’s systems and network. So, if an organization wants to lessen this security risk they can do so by taking a look at that area. Having eyes on who has permissions and privileges is a first step, but also managing those access controls by reducing the number of people that have that level of access. Another way organizations can reduce risks is by putting in place extra layers of security for those specific types of access to the network and company system.
To reduce any type of vulnerability, it is also highly advisable to get external audits so that an organization can have someone come in to take a second look at their security posture; to make sure that policies and procedures are being followed, and that businesses are conducting regular testing of the business continuity plan in place. You can’t reduce security risks if you don’t take a proactive approach to it and the same way security technology isn’t enough, neither is setting up a plan that you don’t regularly check and test.
All it takes for intruders to get in is one vulnerability and if in 2015 a total of 427 vulnerabilities were reported, this means hackers had 427 opportunities to get inside a network and take away data or stop business operations or worse. The number may seem small in comparison to thousands or millions, but if one is all it takes to get in, then 427 is pretty big considering the damage a breach can bring to a business or even an entire nation.
Photo Courtesy of buttet