The changing environment of vulnerability analysis

Cybersecurity reports reveal the most frequently exploited vulnerabilities

Shortly after the launch of its second annual report called “Under the Hoodie: Lessons from a season of penetration testing”, cybersecurity firm Rapid7 continues to examine the data collected from the 268 pentesting services it made between September 2017 and June 2018. Software vulnerabilities are the core of penetration testing, so for the companies’ ethical hacking teams looking to optimize their vulnerability management efforts based on exploits, omissions and actual security holes, this report provides ideas and advices taken from practical experiences.

According to this report, you can see a significant increase in the rate of software vulnerabilities that are being exploited to be able to control a critical network resource.

Today’s environments defy how we analyze and manage vulnerabilities. With expanding attack surfaces that include physical and virtual environments, complex web applications that change frequently, and the avalanche of alerts that all this produces, it’s no wonder that vulnerabilities continue to accumulate. Moreover, as code and systems become more complex and more interconnected, the probability of introducing vulnerabilities into a network environment becomes inevitable.

Experts in ethical hacking mention that when new vulnerabilities are exploited, the attacker will bypass the security controls on a system. This can lead to the leaking of sensitive information, privilege escalation, execution of arbitrary code, among many other types of cyberattack.

Of a total of 268 penetration tests performed, the most common vulnerabilities found were:

  • SMBRelay (to deploy Man-in-the-Middle attacks)
  • Cross-Site scripting (XSS)
  • Clickjacking
  • Escalation of local privileges
  • SQL Injection

Identify vulnerabilities in a modern environment

Malicious hackers operate according to the activity of experts in ethical hacking; at the time when the vulnerability is revealed, the hunt begins, as malicious hackers know that many organizations cannot keep up with them. This means that, as ethical hackers, not only do we need the ability to detect vulnerabilities quickly, but we also need to patch them as soon as possible. Knowing this, the monthly vulnerability scan is no longer enough, taking into account that environments change steadily.

The more complex an environment is, the more difficult it will be to detect vulnerabilities with conventional techniques, which is why lots of organizations look for ethical hacking specialists’ solutions to analyze expansive and constantly changing environments.

 

Prioritize critical vulnerabilities

Finding a new vulnerability is the first step, knowing which one to prioritize the next. That’s why ethical hacking specialists from the International Institute of Cyber Security agree that pentesters should work with tools not only to detect the present vulnerabilities, but also to prioritize these vulnerabilities depending on which are the biggest threats to an organization at any given time.

If you have wide visibility on an environment, you can prioritize what vulnerabilities to address based on actual threat data and even automate some of the recovery steps. In compensation, vulnerabilities can be patched much faster, reducing the timeframe of an attacker and fortifying the security of organizations.