Complacency in addressing known vulnerabilities puts users at risk
If you have even a passing interest in security vulnerabilities, there’s no chance that you missed the news about the DROWN vulnerability. It’s one of the biggest vulnerabilities to hit since Heartbleed, potentially impacting a third of all HTTPS websites. By exploiting the obsolete SSLv2 protocol, this flaw makes it possible for an attacker to eavesdrop on a TLS session.
Because we use SSL and TLS encryption to shop, send messages, and send emails online, DROWN potentially allows attackers to access our messages, passwords, credit card details, and other sensitive data.
DROWN was disclosed on March 1, but a full week later Netskope identified 676 SaaS applications that were still vulnerable to the attack. This highlights a recurring problem we see time and time again in the security industry — a failure to remediate vulnerabilities.
Detecting issues is only the first step, companies must take action to close loopholes and protect their customers.
Interestingly, Netskope also pointed out that of those 676 SaaS apps, 73 are also still vulnerable to FREAK, 42 are still vulnerable to Logjam, and 38 are still vulnerable to OpenSSL CCS attack.
The longer it takes to deal with a known vulnerability, the higher your risk of a successful attack. Known vulnerabilities still pose the biggest IT security threats, and there’s little sign that’s going to change any time soon.
We saw the same pattern of complacency after the Heartbleed vulnerability was unveiled. A full year later, 74% of Global 2000 companies with public-facing systems vulnerable to Heartbleed had failed to remediate the problem across all servers, according to security firm, Venafi.
Netskope has been posting daily updates on DROWN, and it’s clear that some companies are taking action, but as of March 14, two weeks after the disclosure, there are still 513 vulnerable apps.
Dealing with DROWN
There has been some disagreement about how easy it is to exploit DROWN, but it’s certainly a potentially serious vulnerability that’s worth addressing. You can check to see whether your own website is vulnerable by visiting the DROWN Attack website.
It’s also not especially difficult to remediate, simply don’t allow SSLv2 on any of your servers, and ensure that private keys are not being used anywhere with server software that allows SSLv2 connections. This is an obsolete protocol that should have already been removed due to its inherent weaknesses.
Vulnerabilities like DROWN and FREAK really highlight the dangers of obsolete cryptography. This is something we should all be taking more seriously.
There’s a real need to break down department barriers, so that threats can be dealt with efficiently and in a timely fashion. The latest IT Security and Operations Survey from BMC and Forbes Insights, found that 44% of data breaches in the U.S. and Europe are caused by known vulnerabilities. The report lays the blame on a disconnect between security and IT operations teams, which often have different goals and priorities. Lack of communication, coordination, and proper oversight is disastrous for data security.
It’s up to CIOs, working with the CISO, to ensure that security and IT groups work more closely together, not just to identify issues but to fix them as quickly as possible. Organizations need to understand that these kinds of vulnerabilities are not just a theoretical concern.
It’s also not always possible to determine when data has been breached. It can also be difficult to categorize threats and understand their severity. But one thing is perfectly clear: burying your head in the sand and failing to deal with a known vulnerability puts your customer’s data and potentially the future of your business at serious risk.
This article was originally posted on NetworkWorld.
Image credit: Cutcaster