April 7, 2016 |

Investigation Finds Thousands of Exploitable Weaknesses in Company Networks

An investigation conducted by cyber security company F-Secure finds thousands of severe vulnerabilities attackers can use to infiltrate company infrastructure.

An investigation conducted in early 2016 by cyber security company F-Secure discovered thousands of severe weaknesses in corporate networks that attackers can use to infiltrate companies. The investigation used F-Secure Radar, a vulnerability scanning and management solution, to uncover tens of thousands of instances of misconfigured systems, unpatched software, and other weaknesses, confirming to security experts that many companies don’t have enough visibility over their networks.

The investigation found that, out of nearly 85,000 instances of the 100 most common vulnerabilities identified in corporate networks, approximately seven percent of them have high severity ratings according to standards used by the National Vulnerability Database.* Nearly half of these highly severe weaknesses were exploitable, and could be used by attackers to gain control over compromised machines via remote code execution. And nearly all of these exploitable weaknesses are easy to fix with the right software patches or simple administrative changes.

“It’s bad news for a company if an attacker finds one of these highly severe vulnerabilities,” said Jarno Niemelä, Lead Researcher, F-Secure Labs. “The fact that we found thousands of issues this severe suggests some serious security shortfalls amongst companies. Either they’re not implementing patch management programs, or they’re forgetting to include parts of their network in their maintenance practices. But no matter what the underlying cause is, it’s lots of opportunities for attackers, and lots of breaches waiting to happen.”

This finding reinforces previous warnings regarding the importance of implementing simple security measures. According to the United States Computer Emergency Readiness Team, following a few easy steps such as patching vulnerable software can prevent up to 85 percent of targeted cyber attacks.**

Every Vulnerability is like a ‘Kick me’ Sign

While the investigation found thousands of highly severe weak points, the findings pointed to misconfigured systems as being far more common. The 10 most frequent vulnerabilities found were low or medium severity issues, but accounted for 61 percent of all weaknesses discovered in the investigation. While these issues lack the severity of high-risk vulnerabilities, they encourage hackers to investigate further and look for additional weak spots.

“These issues aren’t particularly pressing if you think about them intrinsically, but hackers see non-critical issues as the cyber security equivalent of a ‘kick me’ sign,” said Andy Patel, Senior Manager, F-Secure Technology Outreach. “There’s lots of ways to stumble across these vulnerabilities just by casually browsing the web. Even hackers uninterested in doing anything bad could be tempted to pull at the thread and see what unravels. Companies that are lucky could get a helpful email informing them of the problem, but the unlucky ones are going to have professional criminals conducting reconnaissance in preparation for targeted attacks.”

Visibility of Networks and Vulnerabilities Key Preventative Measure

F-Secure’s vulnerability scanning solution, F-Secure Radar, is a certified PCI ASV solution that gives companies a complete overview of their networks, and highlights weaknesses that attackers can use to compromise systems. It includes different scanning options to provide a comprehensive analysis of networks, and ranks vulnerabilities according to their severity. Companies can use the scans to map the different systems integrated with the network, check web applications (even custom-built APIs tailored to fit unique networks and infrastructure), and locate outdated, unpatched, or misconfigured parts of their network.

According to Rune Kristensen, Director, Radar Services, F-Secure, offering Radar to companies allows them to implement security measures that are integral to a holistic cyber security strategy. “Visibility is an important preventative measure, and we’re planning to enhance Radar’s capabilities to give companies even better visibility in the future. For example, many companies outsource certain services to third parties without taking security precautions, or even informing their IT personnel. We’re developing ways to include scanning third-party services integrated into corporate networks, which can provide much needed visibility into how weaknesses in a company’s data supply chain could expose them to attacks.”

Radar can be purchased as a license product and administered directly by companies, or as a service provided by F-Secure or selected reseller partners. Using Radar as a service not only provides scans conducted at agreed upon intervals, but it also provides additional support through reporting and expert guidance on patching and hardening vulnerabilities. Radar is suitable primarily for mid to large-sized companies, and available now.

*Source: https://nvd.nist.gov/cvss.cfm
**Source: https://www.us-cert.gov/ncas/alerts/TA15-119A?hootPostID=b6821137ae5173095390bd502ae04892

More information:

F-Secure Radar
What does Vulnerability Management mean to you?

F-Secure – Switch on freedom

F-Secure has been defending tens of millions of people around the globe from digital threats for over 25 years. Our award-winning products protect people and companies against everything from crimeware to corporate cyberattacks, and are available from over 6000 resellers and 200 operators in more than 40 countries. We’re on a mission to help people connect safely with the world around them, so join the movement and switch on freedom!

Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd.

f-secure.com | twitter.com/fsecure | facebook.com/f-secure

F-Secure media relations

Adam Pilkey
+358 40 637 8859

Downloads & other Goodies


Latest Press Releases

July 31, 2018

Spam Is Still the Choice of Online Criminals, 40 Years Later

Spam is the number one source of malware as criminals add a few new tricks to this classic method, new research from F-Secure and MWR InfoSecurity finds.

July 24, 2018

F-Secure Listed as a Vendor to Watch in Gartner Market Insight: Address 3 Critical Security Issues to Differentiate Yourself in the Connected Home Market

F-Secure believes its investment in artificial intelligence and relationships with 200 carrier partners worldwide are validated by its report listing.

June 26, 2018

F-Secure SENSE Wins ‘Hotly Contested’ IoT Award from Connected Britain

F-Secure pipped the competition to the post with its SENSE security solution.

June 18, 2018

F-Secure Takes A Big Step Towards Cyber Security Leadership By Acquiring MWR InfoSecurity

Acquisition adds industry leading threat hunting platform to F-Secure’s detection and response offering and expands cyber security services to the biggest markets globally

%d bloggers like this: