Software vulnerabilities are, unfortunately, a part of life. A vulnerability refers to an error in the software that can be exploited by threat actors to gain access to a piece of software to make it behave in a way that was not intended by its creators. Every year, thousands of new vulnerabilities are discovered, which are publicly compiled into a disclosed list of security flaws called Common Vulnerabilities and Exposures or CVEs. A CVE refers to a security flaw that has been given an CVE identification number. CVE is maintained by MITRE, a not-for-profit organization, sponsored by the U.S. federal government.
Not every vulnerability is the same. The methods for exploiting them differ on a case by case scenario, as does the way that they can be used against users — such as allowing a hacker to gain system administrator access with full access privileges or distribute different malware types.
CVE distinguishes between severity levels, noting how crucial it is that users immediately do their best to patch that particular vulnerability. In 2020, a massive 57% of vulnerabilities — some 10,300 CVEs — were classified as either “critical” or “high” in severity. That’s bad news.
Lower barrier to entry
What’s arguably even worse news, however, is how easily these CVEs can be exploited. Easier exploitation of vulnerabilities means lower barrier to entry for hackers, which in turn could mean a greater number of efforts to exploit that vulnerability. In 2020, a reported 63% of disclosed vulnerabilities were classified as being of “low complexity.” That means that they can be exploited even by attackers with minimal technical skills. This reportedly marks a 13-year-high for this high percentage of low complexity vulnerabilities.
Furthermore, vulnerabilities requiring no interaction on the part of users are also increasing, representing a sizable 68% of CVEs in 2020. Such statistics lend themselves to mass exploitation attacks used against large numbers of users.
The good news about vulnerabilities is that, at least in the case of trustworthy developers, devs are quick to listen. When developers either discover, or are informed of, vulnerabilities, they will spring into action to plug the gaps that allow such bugs to be exploited. They will then typically issue over-the-air updates, referred to as patches, which modify the software code so as to ensure that a certain potential vulnerability no longer exists or cannot be exploited.
The trouble with patches
But even this doesn’t solve the problem entirely. Notwithstanding “zero day” attacks (which refer to vulnerabilities which have yet to be patched), even the patching solution can be difficult to manage.
Imagine, for instance, if you were suddenly to receive a list of every possible way a thief could break into your house. If there were just one or two weaknesses, you might be able to solve the problem right away. But if this list ran on for several pages, you may not immediately have the time or resources to solve all of the problems immediately.
This is a similar scenario to patching. Even though patches may be pushed out quickly by developers, businesses and other organizations may not immediately have the resources to manage them. Some 23,000 new vulnerabilities are discovered each year and, while not all of these will affect everyone, companies that rely on hundreds of different apps may not immediately be able to install every new patch that comes along.
This is where vulnerability catalogs such as that produced by MITRE can be a big help. Rather than having to simply work through a backlog of CVEs in chronological order, enterprises can prioritize them according to severity, complexity, or however else they choose to. Nonetheless, it is not an easy task to stay on top of, and even prioritizing one group — such as low-complexity, high-severity CVEs — can be a challenge.
The importance of virtual patching
Fortunately, the tools are here to help. Virtual patching is a game-changer in this regard. Virtual patching, despite its name, is not a software patch in the same way mentioned above. Instead, it’s a series of rules that can block malicious behavior that seeks to cause damage. Cyber security tools like Runtime Application Self-Protection (RASP) and Web Application Firewalls (WAFs) can assist with stocking potential threats in their tracks by recognizing and blocking bad inputs, along with request payloads.
While it’s still highly advisable that enterprises install patches where available (software upgrades also frequently introduce new software features), virtual patching offers an extra layer of protection against vulnerabilities that may be exploited.
Cyber attacks continue to gain momentum. No piece of software is ever perfect, and bugs will continue to be an unwanted presence for the foreseeable future. However, when bugs tip over into vulnerability territory — meaning that they go from a minor user experience annoyance to a potential liability — that’s when you need to take steps to protect yourself.
Make sure that you take the best ones possible.