Legacy vulnerabilities may be biggest enterprise cyber risk

While high-profile cyber attacks and zero-days grab headlines, statistics gathered by network security specialists Cato suggest CISOs should be addressing legacy threats

Cyber attacks exploiting vulnerabilities in unpatched legacy systems, via consumer applications such as TikTok, and originating from friendly countries may be a bigger risk to the average organisation than attacks through novel zero-days conducted by Chinese or Russian APT groups, according to a report produced by secure access service edge (SASE) specialist Cato Networks.

In compiling the SASE Threat research report, the Tel Aviv-based network security firm said it found strong evidence that mainstream preconceptions of enterprise security and network usage are frequently highly inaccurate.

The data was collated via Cato’s own converged SASE service, which enabled the firm to pull security and network analysis data from 200 billion traffic flows across 850 customer networks during the first three months of 2021.

Etay Maor, Cato senior director of security strategy, said: “During Q1, we saw how enterprise security leaders can’t focus on newly discovered vulnerabilities at the expense of older, more mundane risks.

“Threat actors constantly scan for unpatched, EOL [end of life] and legacy systems, vulnerabilities that are two to nearly 20 years old.”

Maor explained that the cyber security industry has a tendency to focus on the latest and greatest “exotic” attacks, such as the SolarWinds breaches of late 2020 and early 2021, at the expense of addressing older exploits – some of which date back to the early 2000s.

Cato’s analysis found that attackers frequently scanned for such vulnerabilities, with many of them unsurprisingly targeting network hardware and software to gain initial access to target systems.

“While organisations always need to keep up with the latest security patches, it is also vital to ensure older system and well-known vulnerabilities from years past are monitored and patched as well,” he said. “Threat actors are attempting to take advantage of overlooked, vulnerable systems.”

The data also revealed a much higher incidence of attacks conducted through enterprise and consumer applications, with a particular focus on remote access software, such as remote desktop protocol (RDP) and virtual networking compute (VNC), and TeamViewer – which has been successfully exploited in a number of recent incidents, particularly in attacks on critical national infrastructure (CNI).

Cato also identified a significant number of threats coming via consumer apps operating over enterprise networks, with the most significant source of risk being TikTok – which accounted for millions more traffic flows than other popular apps such as Google Mail, LinkedIn or Spotify.

The first quarter of 2021 also saw a significant increase in traffic over trading apps such as Robinhood and eToro – the use of which also outpaced many of the more popular apps.

“While several governments have raised privacy concerns with TikTok, and ultimately banned this application from their networks and devices, too many enterprise networks continue to carry TikTok flows,” said Maor.

“The increase in consumer applications not only consumes bandwidth, but poses a security risk to enterprises. As the type of data flow and applications changes, so does the way in which threat actors exploit vulnerabilities, and – in turn – the way enterprises secure their networks must change as well.”

The report’s other noteworthy findings included the observation that the bulk of illegitimate traffic does not necessarily originate from within China or Russia – domains that are frequently blocked by enterprise access controls to mitigate cyber risk. In fact, Cato’s analysis showed that, in many more cases, the call was coming from inside the house, with more malware attacks originating from within the US than any other country.

“Blocking network traffic to and from ‘the usual suspects’ may not necessarily make your organisation more secure,” Maor observed. “Threat actors are hosting their command and control [C2] servers on ‘friendly’ grounds, including the US, Germany, and Japan.”

The full report can be downloaded from Cato Networks’ website.

Read more about vulnerability management

  • As cyber criminals increasingly look to exploit vulnerabilities in software and hardware, businesses must build and implement an effective vulnerability management programme to counter this growing threat.
  • A new module for AppDynamics’ AIOps platform uses APM data to perform vulnerability management monitoring and automated attack blocking as DevSecOps market buzz continues.

Read more on Network security management