One of the most difficult tasks an organization faces is keeping tabs on the ever-growing threat landscape that contains malicious actors constantly probing an organization's attack surface, looking for any weakness. Making life even more difficult is an attacker's ability to quickly take advantage of when critical vulnerabilities and exploits are made public, placing cybersecurity teams on the defensive. 

To give organizations an idea of the danger presented by the presence of unpatched vulnerabilities in their systems, Trustwave SpiderLabs compiled The 2021 Trustwave SpiderLabs Telemetry Report, which reviews Internet-facing targets exposed to high-profile vulnerabilities released over the past year. Most notably, the report found that despite the high severity for some of these vulnerabilities, more than 50% of the servers had a weak security posture even weeks and months after a security update was released.

To compile the report, Trustwave SpiderLabs utilized Shodan, publicly available exploit information and non-intrusive analysis of vulnerable targets accessible on the Internet to provide insights into how an organization can best protect itself. 

This year has seen more than its fair share of organizations victimized by attackers who found a vulnerability in their system. In many cases, the organization remained vulnerable due to a failure to patch software promptly. To help better understand the threat landscape, Trustwave compiled a report on some of the high-profile vulnerabilities that had a significant in the last year and best practices for organizations to avoid vulnerability exploitation. 

We sat down with Trustwave SpiderLabs Security Researcher Jason Villaluna to discuss some of the key insights and trends from the 2021 Telemetry Report in more depth.

What was the most surprising point you uncovered compiling the report?

Most folks outside of IT security will find it surprising that many outdated applications and services are accessible from the Internet. Since many tools can detect these instances, it means the applications can be easily exploited by individuals who have the skills to do so. The worrisome aspect of this is that many organizations are not aware of the risks of exposing such apps and services.

Why do organizations struggle with vulnerability management and patching? 

There are several reasons why organizations struggle with vulnerability management and patching.

First, not every system is created equal. Some are very complex, so that immediate patching is simply not possible. A patch may need several levels of testing and approval from different teams or departments so the organization can be assured that this patch will not harm their current system and work as intended.

Next, not all organizations have a team that can solely focus on vulnerability management. However, as the importance of patching is realized, some organizations are starting to implement a vulnerability management process. Then there is the fact that some organizations just don't have the budget to implement such a team, resulting in some teams having to handle several tasks.

What best practices can organizations put in place to make sure they don't become a victim of high profile or high severity vulnerability exploits? 

There are many best practices for organizations to implement that will improve their defenses. I've listed a few here that will reduce the risk of becoming victimized by high profile vulnerabilities:

1. Assign an individual or a team to work on implementing a holistic security program tackling security assessments, risk management and policy. It's always a good idea to try and find someone already on staff with the knowledge and understanding to handle these tasks. Look for professionals who can provide these services and then build an internal team slowly until they don't need external assistance.
2. Provide training to employees and not just those in the IT department who are handling the critical systems. Some critical vulnerabilities require human interaction. Educate employees by providing periodical cybersecurity training and the necessary support materials. Make sure that they are following the security policies and procedures provided by the company and make them understand the importance of following the guidelines.
3. Don't discount the risk of having outdated systems since these are the ones that are easily targeted. Have the system owner assess the current state and come up with a solution in collaboration with the security team.
4. Have a good incident response plan. No organization wants to become a victim, but it must have a plan in place if something happens. Such a plan will certainly help reduce the impact a cyber incident could have on their company.