Patched Flash Vulnerabilities Still a Risk

Cisco's Midyear Security Report finds challenges old and new as the overall volume of threats increase, but the time to find them is decreasing.

Flash flaws

Cisco released on July 26 its 2016 Midyear Cybersecurity Report, showing that once again Flash remains the top path to exploitation and patching remains a challenge.

According to Cisco's analysis, exploit kits continue to rely on Flash vulnerabilities to infect victims. With the popular Nuclear exploit kit, for example, Cisco reported that 80 percent of successful exploit attempts are from Flash vulnerabilities. Across five of the most well-known exploit kits (Nuclear, Magnitude, Angler, Neutrino and RIG), the CVE-2015-7645 vulnerability that Adobe patched in October is a key exploit.

The Cisco report also includes a dire projection about the continued risks from Flash.

"As long as Flash exists, it will remain an attack vector," the Cisco report states.

Multiple browser vendors, including Mozilla with its Firefox browser and Google with Chrome, have plans to stop Flash support later this year, but Cisco still expects there to be a long tail of vulnerable users. Jason Brvenik, principal engineer in the security business group at Cisco, said that user update cycles suggest that Flash will still be around for years yet to come.

"What attackers will ultimately find and use to exploit users depend on how well we execute as an industry," Brvenik told eWEEK. "Attackers are innovative, and if they have an opportunity, they will strike."

One common opportunity for attackers is the lack of patching by organizations and end users. Cisco looked at 103,121 Cisco devices connected to the internet and found that devices were running known vulnerabilities for an average of five years. Looking at software used across three million servers, Cisco found that the Apache webserver and OpenSSH remote connectivity applications were also running with vulnerabilities that had an average age of five years.

"Some people just run systems, and if they do what they're supposed to do, they just don't care about being out of date," Brvenik said. "People don't care because they're not concerned; rather they don't care because they are not aware."

Brvenik said that some users might be running devices that have already reached the end of life for support from a vendor but they still do the tasks the user wants. Such out-of-date systems, though, present an easy attack surface for hackers.

He added that there is a lot of technical debt in IT installations, and there is a real need to make extensive use of auto-update mechanisms.

Steve Martino, vice president and chief information security officer at Cisco, noted that if an individual noticed that the tires on his or her car had no tread left, the person would replace the tires to be safe. The same analogy holds true for out-of-date IT infrastructure and software—worn-out items should be replaced for safety reasons.

"There is an operational discipline that organizations need to bake into their processes," Martino told eWEEK. "Organizations care about uptime and availability, but are they measuring how well-maintained the environment is with updated software and are vulnerabilities being found quickly."

The time to detection (TTD) for security issues is a key metric that Cisco tracks. In January, Cisco's 2016 Annual Security report found that for Cisco customers, 17.5 hours was the median TTD, down from 46 hours in Cisco's 2015 midyear security report. For the 2016 midyear report, the TTD figure has fallen even further, to a median of 8.64 hours.

In Brvenik's view, TDD is one of the best metrics for measuring security as an organization can't respond to a security breach until it has been detected.

While Brvenik is optimistic that TDD is improving, he's also looking for the number to drop even further. "I'm not going to leave the front door to my house open and walk away for two hours," he said. "That's effectively what happens in networks when attackers stay there; they are roaming about your house at will."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.