Security Pros Can’t Rest on Their Laurels - Vulnerabilities Are Here to Stay
Year after year, the number of vulnerabilities recorded increase – in 2014, the total number was at 15,435 split across 3,870 products offered by 500 different vendors. While the numbers for 2015 are not yet in, there is no indication that the numbers are decreasing.
Since all it takes for hackers to gain entry to the infrastructure is one vulnerability, the sheer volume of vulnerabilities and products will continue to put pressure on IT security professionals, who need to have full visibility of their infrastructure to be able to ascertain whether vulnerable software is present in their systems, assess the risk to the business, and prioritise the mitigating actions required, to stay secure and compliant.
Companies Will Have Power to Prevent Most Hacks Before They Happen – If They Act
While the volume of vulnerabilities will continue to stay at the current overwhelming levels in 2016, there will be good news for security professionals. The vast majority of vulnerabilities can be patched on the same day they are disclosed to the public – in 2014, out of all the 15,435 vulnerabilities recorded, a full 83% had a security patch available on the day of disclosure.
Flexera Software does not expect significant changes in 2016, meaning it is in the hands of IT teams to patch the vulnerability immediately, before hackers start to exploit them to gain access to business critical data!
To accomplish this, operations and security teams will need sufficient insight into their environments to discover and inventory their software and hardware assets, receive vulnerability intelligence whenever vulnerabilities are discovered in those products, and apply the security patch published from the vendor. A vast majority – more than 83% - of vulnerability problems can be solved in this manner.
In 2016 a Proactive Approach to Security Will Be More Important Than Ever Before
In 2016 it will be increasingly important for organisations to take a proactive approach to security, rather than a reactive approach which traditional security technologies, such as antivirus (AV), represent: While AV and the various behavioral malware detection technologies that have evolved over the past years focus on reactively identifying malware already in a company’s infrastructure or on PCs, these approaches only detect and alert organisations to what has already made it on to their systems.
A more proactive approach that companies will start adopting will be to identify and patch software vulnerabilities as those vulnerabilities become known and thereby eliminate the root cause of many security issues, ensuring that malware doesn’t get on to those system in the first place by closing the entry points malware uses as attack vectors.
IoT – Everything Connected to the Internet Can and Will Be Hacked!
Software vendors and hardware manufacturers will need to increase focus on security when they develop their Internet-connected products.
The glorious new world of the Internet of Things (IoT) brings with it endless opportunities – and, from a security standpoint, quite a few challenges. From a security perspective there is one overriding rule of thumb to get across to vendors and consumers alike in 2016: No internet-connected device is 100% secure. If it’s connected to the internet, it can be hacked.
As the software producer community and the traditional manufacturing companies are coming to grips with this new era, it will be important for them to attune their devices to security needs:
This includes careful code testing, continuous maintenance, careful mapping of bundled software and verified intelligence about vulnerabilities in these, and ample resources to react promptly and effectively as soon as a vulnerability in the product is reported.
Device Manufacturers Will Become Better at Pushing Security Updates
As the Internet of Things expands, hardware and software manufacturers will need to improve their collaboration on security, and work together to issue patches and push updates directly to all devices. On the back of the Stagefright incident, a series of high-severity vulnerabilities which affected nearly all Android devices in 2015, both Google and some of the phone vendors behind Android devices are already upping their focus on how to get security updates pushed from software vendor and out to end user devices. The entire Android vendor community is rallying to improve and will hopefully become better at issuing security updates to their products more proactively than they have in the past.
The story shone the light on the challenges facing hardware manufacturers when they embark on their journey into the Internet of Things – the need to focus on security, issue patches and push updates directly to all devices.
APT Attacks Targeting and Used by Government will Increase in 2016
Governmental organisations and corporations critical to a country’s infrastructure will continue to be high-profile targets to criminal organizations and nation states wishing to cause damage to other nation states and their critical infrastructure, in 2016.
We are currently seeing an increase in reports of Advanced Persistent Threats (APTs), and it is safe to assume that the APTs we hear of are only the tip of the iceberg.
As such, these organisations will continue to be targeted by increasingly sophisticated attacks – the so-called Advanced Persistent Threat attacks. APTs are designed and executed by professionals who customise exploit kits for attacks. An important tool in APT attacks is vulnerabilities - including zero-day vulnerabilities. As APTs become more widespread, more resources will need to be invested in discovering unknown vulnerabilities, and we should therefore expect a correspondingly high level of zero-days in the next year.
From 2013 to 2014 we saw a dramatic increase in zero-days, - Secunia Research at Flexera Software recorded 14 in 2013, and 25 in 2014, and expects to see similar numbers for 2015.
Bundling Jeopardises Security: IT Pro’s Need to Get Better Visibility
Vendors are increasingly bundling their products with additional software, such as open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems. IT security and operations professionals will have to improve their handling of the opaque area that is bundling in 2016.
The consequences to security caused by vendors bundling their software with open source libraries caught the IT community completely unprepared back in 2014 when the Heartbleed vulnerability and subsequent security releases in the open source library OpenSSL, made the IT community realise how all the shared code complicates security tenfold.
In addition to known software vulnerabilities in known products in the infrastructure, IT Pro’s therefore need to investigate and map the third-party applications bundled with the products they use in their environment, and ensure that they stay apprised of any vulnerabilities that affect them.