Legacy Vulnerabilities Are Still a Problem

Posted inBusiness, Modernization, Security

Known vulnerabilities often go unfixed for a variety of reasons. Unfortunately, these legacy vulnerabilities are still in use by threat actors, causing problems for businesses worldwide.

Almost every business worldwide feels the impact that COVID-19 has had on the global economy. There are a few which have benefited from the pandemic and some which have remained stable, but even those have felt the impact in some way. Work from home. Social distancing. Wearing a mask. Telehealth, virtual school, no fans at sporting events, no Broadway shows or concerts, no alcohol after 10pm. Cyberattacks and physical crimes on the rise. Every industry has felt it. Every business has done the best it can to keep afloat and keep pace with technology, but not securing legacy vulnerabilities hurt a lot of businesses.

VPNs have had known issues that went un-fixed, probably because many businesses didn’t use them much. But now they are using them daily and those vulnerabilities still aren’t fixed. With open vulnerabilities in a VPN, a threat actor has a much easier time infiltrating your business systems. These are legacy vulnerabilities, meaning they’ve been around much like the legacy systems businesses still use today. That’s not a bad thing, as long as those legacy items are secured.

Previously, we discussed the three most prominent vulnerabilities in VPNs in an article on healthcare. But those VPNs are utilized by other companies as well. The three CVEs in reference are: 1. CVE-2018-13379: Fortinet FortiOS SSL VPN Web Portal Information Disclosure, 2. CVE-2019-11510: Arbitrary File Disclosure in Pulse Connect Secure, 3. CVE-2019-19781: Citrix Application Delivery Controller (ADC) and Gateway.

Again, as stated in the previous article, these are very clearly known vulnerabilities. If you visit the Open Web Application Security Project (OWASP) website, you can find a list of the top 10 web application security risks. On it you will find that the list includes injection flaws, access control issues, misconfigurations, utilization of components with known vulnerabilities and more. The top 10 changes once in awhile, a little bit, but it mostly continues to include known problems that hackers and threat actors continue to exploit today.

There has been so much focus around digital transformation, providing resources to employees who are suddenly working from home and potentially pulling triple duty as a parent and teacher in virtual school locations, adding new features to products in a socially distant and digital environment. That focus has taken away from securing these items, despite an exponential uptick in cybersecurity attacks. New vulnerabilities and misconfigurations are discovered on a regular basis as well, so now businesses are chasing their tails trying to secure the very things they have used to keep their business running during the pandemic.

We sometimes sound like a broken record, always talking about how security can’t be put off, you can’t rush through a new project or application deployment without knowing it’s secure. Here’s what happens when you rush through a project without verifying security, Varonis has released 134 Cyberstatistics and Trends for 2021, and per Cybint, 95% of cybersecurity breaches are caused by human error. That’s what happens when you rush, or when you put off security and only give a coder a short deadline to get it done and they need more time but can’t get it. This is also what happens when teams rush through an onboarding process and give internal cloud systems access to the janitor. There are some other pretty daunting statistics in that article, like 68% of business leaders feel their cybersecurity risks are increasing, only 5% of companies’ folders are properly protected, data breaches exposed 36 BILLION records in the first half of 2020… that’s only 6 months and attacks skyrocketed at the end of the year. 

The average cost of a data breach is $3.86 million as of 2020. That’s average cost, which is not dependent on business size. That number alone shows why small and medium sized businesses absolutely cannot skimp on security. That kind of a price tag will surely shut their doors for good.

A final, staggering set of statistics for 2020 are as follows: The average time to identify a breach in 2020 was 207 days and the average lifecycle of a breach was 280 days from identification to containment. That means that a breach’s lifecycle lasted ¾ of the year. How much damage can be done in that amount of time? The short answer is, a lot. The longer answer is, we still don’t know.

These numbers, these statistics, are a demonstration of what ostrich syndrome reaps. Security cannot wait. Security cannot be pushed aside or left alone or done once and never revisited. It’s a constant, ongoing process to protect the information in your business. Hire an expert to help put everything how it needs to be. Don’t be the next victim, the next business to shut its doors because a threat actor decided you were an easy target. Fortify your security now, starting with those legacy vulnerabilities.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY