Software Vulnerability Management, 2016 Predictions

Author: Steve Beards, VP APAC of Flexera Software

Vulnerability landscape

Security Pros Can’t Rest on Their Laurels - Vulnerabilities Are Here to Stay

Year after year, the number of vulnerabilities recorded increase – in 2014, the total number was at 15,435 split across 3,870 products offered by 500 different vendors. While the numbers for 2015 are not yet in, there is no indication that the numbers are decreasing.

Since all it takes for hackers to gain entry to the infrastructure is one vulnerability, the sheer volume of vulnerabilities and products will continue to put pressure on IT security professionals, who need to have full visibility of their infrastructure to be able to ascertain whether vulnerable software is present in their systems, assess the risk to the business, and prioritise the mitigating actions required, to stay secure and compliant.

Companies Will Have Power to Prevent Most Hacks Before They Happen – If They Act

While the volume of vulnerabilities will continue to stay at the current overwhelming levels in 2016, there will be good news for security professionals. The vast majority of vulnerabilities can be patched on the same day they are disclosed to the public – in 2014, out of all the 15,435 vulnerabilities recorded, a full 83% had a security patch available on the day of disclosure.

Flexera Software does not expect significant changes in 2016, meaning it is in the hands of IT teams to patch the vulnerability immediately, before hackers start to exploit them to gain access to business critical data!

To accomplish this, operations and security teams will need sufficient insight into their environments to discover and inventory their software and hardware assets, receive vulnerability intelligence whenever vulnerabilities are discovered in those products, and apply the security patch published from the vendor. A vast majority – more than 83% - of vulnerability problems can be solved in this manner.

In 2016 a Proactive Approach to Security Will Be More Important Than Ever Before

In 2016 it will be increasingly important for organisations to take a proactive approach to security, rather than a reactive approach which traditional security technologies, such as antivirus (AV), represent: While AV and the various behavioral malware detection technologies that have evolved over the past years focus on reactively identifying malware already in a company’s infrastructure or on PCs, these approaches only detect and alert organisations to what has already made it on to their systems.

A more proactive approach that companies will start adopting will be to identify and patch software vulnerabilities as those vulnerabilities become known and thereby eliminate the root cause of many security issues, ensuring that malware doesn’t get on to those system in the first place by closing the entry points malware uses as attack vectors.

Threat landscape

IoT – Everything Connected to the Internet Can and Will Be Hacked!

Read more: How Can I Protect Myself from Identity Theft Online?

Software vendors and hardware manufacturers will need to increase focus on security when they develop their Internet-connected products.

The glorious new world of the Internet of Things (IoT) brings with it endless opportunities – and, from a security standpoint, quite a few challenges. From a security perspective there is one overriding rule of thumb to get across to vendors and consumers alike in 2016: No internet-connected device is 100% secure. If it’s connected to the internet, it can be hacked.

As the software producer community and the traditional manufacturing companies are coming to grips with this new era, it will be important for them to attune their devices to security needs:

This includes careful code testing, continuous maintenance, careful mapping of bundled software and verified intelligence about vulnerabilities in these, and ample resources to react promptly and effectively as soon as a vulnerability in the product is reported.

Device Manufacturers Will Become Better at Pushing Security Updates

As the Internet of Things expands, hardware and software manufacturers will need to improve their collaboration on security, and work together to issue patches and push updates directly to all devices. On the back of the Stagefright incident, a series of high-severity vulnerabilities which affected nearly all Android devices in 2015, both Google and some of the phone vendors behind Android devices are already upping their focus on how to get security updates pushed from software vendor and out to end user devices. The entire Android vendor community is rallying to improve and will hopefully become better at issuing security updates to their products more proactively than they have in the past.

The story shone the light on the challenges facing hardware manufacturers when they embark on their journey into the Internet of Things – the need to focus on security, issue patches and push updates directly to all devices.

Read more: ​Encryption use driving new thinking on whitelisting: Bit9+Carbon Black

APT Attacks Targeting and Used by Government will Increase in 2016

Governmental organisations and corporations critical to a country’s infrastructure will continue to be high-profile targets to criminal organizations and nation states wishing to cause damage to other nation states and their critical infrastructure, in 2016.

We are currently seeing an increase in reports of Advanced Persistent Threats (APTs), and it is safe to assume that the APTs we hear of are only the tip of the iceberg.

As such, these organisations will continue to be targeted by increasingly sophisticated attacks – the so-called Advanced Persistent Threat attacks. APTs are designed and executed by professionals who customise exploit kits for attacks. An important tool in APT attacks is vulnerabilities - including zero-day vulnerabilities. As APTs become more widespread, more resources will need to be invested in discovering unknown vulnerabilities, and we should therefore expect a correspondingly high level of zero-days in the next year.

Read more: Underprovisioned security-analytics tools, skills hinder big-data adoption, expert warns

From 2013 to 2014 we saw a dramatic increase in zero-days, - Secunia Research at Flexera Software recorded 14 in 2013, and 25 in 2014, and expects to see similar numbers for 2015.

Bundling Jeopardises Security: IT Pro’s Need to Get Better Visibility

Vendors are increasingly bundling their products with additional software, such as open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems. IT security and operations professionals will have to improve their handling of the opaque area that is bundling in 2016.

The consequences to security caused by vendors bundling their software with open source libraries caught the IT community completely unprepared back in 2014 when the Heartbleed vulnerability and subsequent security releases in the open source library OpenSSL, made the IT community realise how all the shared code complicates security tenfold.

In addition to known software vulnerabilities in known products in the infrastructure, IT Pro’s therefore need to investigate and map the third-party applications bundled with the products they use in their environment, and ensure that they stay apprised of any vulnerabilities that affect them.

Join the CSO newsletter!

Error: Please check your email address.

Tags infrastructureWebroot2016 predictionsSoftware VulnerabilityCSO Australia

More about AdvancedAPTFlexeraGoogleSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Beards

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place