Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Patched Flash Vulnerabilities Still a Risk

    By
    SEAN MICHAEL KERNER
    -
    July 26, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Flash flaws

      Cisco released on July 26 its 2016 Midyear Cybersecurity Report, showing that once again Flash remains the top path to exploitation and patching remains a challenge.

      According to Cisco’s analysis, exploit kits continue to rely on Flash vulnerabilities to infect victims. With the popular Nuclear exploit kit, for example, Cisco reported that 80 percent of successful exploit attempts are from Flash vulnerabilities. Across five of the most well-known exploit kits (Nuclear, Magnitude, Angler, Neutrino and RIG), the CVE-2015-7645 vulnerability that Adobe patched in October is a key exploit.

      The Cisco report also includes a dire projection about the continued risks from Flash.

      “As long as Flash exists, it will remain an attack vector,” the Cisco report states.

      Multiple browser vendors, including Mozilla with its Firefox browser and Google with Chrome, have plans to stop Flash support later this year, but Cisco still expects there to be a long tail of vulnerable users. Jason Brvenik, principal engineer in the security business group at Cisco, said that user update cycles suggest that Flash will still be around for years yet to come.

      “What attackers will ultimately find and use to exploit users depend on how well we execute as an industry,” Brvenik told eWEEK. “Attackers are innovative, and if they have an opportunity, they will strike.”

      One common opportunity for attackers is the lack of patching by organizations and end users. Cisco looked at 103,121 Cisco devices connected to the internet and found that devices were running known vulnerabilities for an average of five years. Looking at software used across three million servers, Cisco found that the Apache webserver and OpenSSH remote connectivity applications were also running with vulnerabilities that had an average age of five years.

      “Some people just run systems, and if they do what they’re supposed to do, they just don’t care about being out of date,” Brvenik said. “People don’t care because they’re not concerned; rather they don’t care because they are not aware.”

      Brvenik said that some users might be running devices that have already reached the end of life for support from a vendor but they still do the tasks the user wants. Such out-of-date systems, though, present an easy attack surface for hackers.

      He added that there is a lot of technical debt in IT installations, and there is a real need to make extensive use of auto-update mechanisms.

      Steve Martino, vice president and chief information security officer at Cisco, noted that if an individual noticed that the tires on his or her car had no tread left, the person would replace the tires to be safe. The same analogy holds true for out-of-date IT infrastructure and software—worn-out items should be replaced for safety reasons.

      “There is an operational discipline that organizations need to bake into their processes,” Martino told eWEEK. “Organizations care about uptime and availability, but are they measuring how well-maintained the environment is with updated software and are vulnerabilities being found quickly.”

      The time to detection (TTD) for security issues is a key metric that Cisco tracks. In January, Cisco’s 2016 Annual Security report found that for Cisco customers, 17.5 hours was the median TTD, down from 46 hours in Cisco’s 2015 midyear security report. For the 2016 midyear report, the TTD figure has fallen even further, to a median of 8.64 hours.

      In Brvenik’s view, TDD is one of the best metrics for measuring security as an organization can’t respond to a security breach until it has been detected.

      While Brvenik is optimistic that TDD is improving, he’s also looking for the number to drop even further. “I’m not going to leave the front door to my house open and walk away for two hours,” he said. “That’s effectively what happens in networks when attackers stay there; they are roaming about your house at will.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×