Despite what Hollywood tells you, most hackers don’t need to be sophisticated computer geniuses. Instead, many of the hackers besieging companies in a rising tide of cyberattacks rely on an overwhelming speed advantage to sneak into systems before the companies can respond.
A new report from Kenna Security, examining 50,000 organizations and more than 1.2 billion successful exploits this year, shows that most businesses take up to 120 days to address critical vulnerabilities in their systems, leaving what amounts to an open door for hackers to exploit.
“Exploitation is almost guaranteed,” according to the researchers.
Forty days after a vulnerability becomes public, the chances that a company has been hacked rise to 90 percent, if it didn’t fix the problem in that time period. It takes most companies twice that long to put up proper defenses, leaving a monthslong period during which hackers can waltz right in.
“Exploitation is almost guaranteed.”
Hackers are simply faster than security teams, who are often stretched thin and don’t know which exploit to defend against first.
Kenna reports witnessing more than 1.2 billion successful exploits so far in 2015. That’s a 445 percent increase over 2013 and 2014 combined, when the exploit numbers added up to 220 million. That aligns with numbers from the FBI. Kenna is a private, for-profit security firm, and its findings have not been peer-reviewed. Like many security firms, Kenna makes money through threat and vulnerability management. The company therefore has a vested interest in the results of its research.
Despite billions of dollars flowing into the rapidly expanding cybersecurity industry, security continues to perplex many companies.
“Security can be daunting,” John Weigelt, the chief technology officer at Microsoft Canada, told the Kernel by phone. “It’s one of those areas of arcane knowledge. There’s a certain pride in understanding the details, but we, as security practitioners, need to work hard to make things simple.”
Weigelt argued that even the experts have become complacent and increasingly ineffective in the face of evolving threats. Worst of all, myths about the genius of hackers produce huge confusion about the reality of cybervulnerabilities.
“We have to deflate myths around the sophistication of attacks,” Weigelt said. “There are a few attacks out there that require a lot of effort and political capital to do. But when we look at the threat environment, we see a lot of attacks using vulnerabilities for which patches were delivered long ago.”
Hackers almost always “use the cheapest and most available tools” because they work. The “vast majority of exploits happen on unpatched systems,” Weigelt said.
The hackers who get the biggest headlines are known as Advanced Persistent Threats (APTs). They’re typically part of teams run by governments in Moscow and Beijing. They conduct cutting-edge targeted attacks that shred most traditional defenses. But APTs are an infinitesimal sliver of the threat spectrum. For the most part, large automated waves of untargeted attacks wash over security teams and win simply by scale.
“Non-targeted attacks represent a vastly different challenge than the more widely publicized Advanced Persistent Threats,” the Kenna researchers explained. “Attackers in volume care less about who they hit and rather what they can get, which is why they also deploy automated methods that give them economies of scale. They can go farther, and hit more—all in hopes of finding data they can use (credit cards, [social security numbers], etc).”
Both Weigelt and the Kenna researchers noted that there are simple but effective remedies: Quickly updating machines, using malware detectors, and encrypting disks and communications. But in the current climate—it’s hurricane season, if we can keep up the metaphors, and the waves are creeping higher—it’s easy for the global security industry to get overwhelmed and possibly even sink.
A version of this story originally appeared on the Daily Dot on Sept. 29, 2015.
Photo via Vassilis/Flickr (CC by 2.0) | Remix by Max Fleishman