To the outside observer, the Equifax breach and WannaCry ransomware may have nothing in common. But in reality, both involved hackers who were able to exploit unpatched vulnerabilities in servers operating Windows 7 and Windows 8. Both the hackers of Equifax and those that used WannaCry were able to do so by targeting businesses that ran unpatched Windows software.
The Extent of the Problem
To better understand the problem, Spiceworks conducted a survey and found that 69% of businesses worldwide are currently running Windows 7, 5 percent run Windows 8, and (shockingly) 14% still run Windows XP, which Microsoft stopped supporting in 2014. What’s more, a recent ServiceNow survey (conducted by Ponemon) highlighted some alarming trends:
- Of the 3,000 companies surveyed, almost half admitted that their organization suffered a data breach in the last two years.
- Of those that suffered a breach, almost 60% were due to an unpatched vulnerability.
- Finally, of those that suffered a breach, 34% knew they were vulnerable but did nothing.
The Road Forward
Despite the gloomy statistics, there is a bright side. Most of these Windows vulnerabilities are Known Vulnerabilities (or N-Day). This means that the most significant factor in avoiding N-Day threats is proactively hunting vulnerabilities and patching them immediately.
Unfortunately, although many companies are increasing their IT security budgets, they still face a “patching paradox,” wherein throwing more monetary and human capital at the problem doesn’t necessarily translate to a better security posture. Why? There are too many N-Day vulnerabilities out their and not enough resources to identify and neutralize them all.
To mitigate this, here are three things a company should do to make sure they keep one step ahead of the cybersecurity threats:
Prioritize and Patch - Companies need to prioritize their patching strategy and go after critical patches first. One way to do this is to focus on N-Day vulnerabilities that have already caused breaches in other companies. Hackers learn from each other. Once a vulnerability has been exploited, know that others will use it as well.
Remember, most businesses are still running Windows 7 or Windows 8, despite high penetration rates of 87% and 38%, respectively. This means that organizations relying on these operating systems have to be especially diligent about keeping on top of security patch releases and applying them in a timely manner.
Know Where You Stand - Next, if you have not already, perform a SOC 2 audit. This helps companies audit their existing security controls and identify additional controls needing to be adopted. While SOC 2 can focus on more than just security, at the very least, a SOC 2 audit can point out practices that companies need to enhance their current cybersecurity stance. If you don’t have a comprehensive view of where you currently stand, you will never have a clear view of your strengths and weaknesses.
Go Hunting - Finally, no amount of patching and shoring up practices will completely keep you safe. You should give least privileges to roles and users and actively monitor to make sure credentials are used within parameters. If a hacker gains access to your network through an N-Day vulnerability, it may be months before they are able to tunnel in to sensitive data. Spotting anomalous behavior early could very well prevent a breach.
Bad actors are always looking for an easy meal ticket. Your organization could be next to provide hackers with a windfall if you’re not vigilant about the known security risks due to unpatched software.