Full Report
A report by HP has found that 44 percent of all of the breaches in 2014 were caused by known vulnerabilities, between two and four years old.
Analysis Summary
This source is a summary of a report by HP regarding the top data breaches of 2014, emphasizing that most successful attacks leveraged known, often decades-old, vulnerabilities. Since the source discusses general trends and aggregate statistics rather than a specific, single flaw, most fields below will reflect this aggregated nature or will be marked as "Not applicable based on source."
# Vulnerability: Exploitation of Known, Aging Vulnerabilities (2014 Breaches)
## CVE Details
- CVE ID: Not applicable based on source (Discusses trends across multiple CVEs)
- CVSS Score: Not applicable based on source
- CWE: Not applicable based on source
## Affected Systems
- Products: Unspecified software and systems deployed by organizations targeted in 2014 breaches.
- Versions: Vulnerabilities ranging from two to several decades old.
- Configurations: Systems suffering from poor patching hygiene and server misconfigurations (cited as the number one vulnerability).
## Vulnerability Description
The analysis indicates that a significant portion (44%) of data breaches in 2014 were facilitated by vulnerabilities that were already known, often being two to four years old, with the top 10 exploited vulnerabilities taking advantage of code weaknesses present for decades. The core technical issues stem from fundamental software programming errors, bugs, and logic flaws. Server misconfiguration was identified as the single most common vulnerability exploited.
## Exploitation
- Status: Exploited in the wild (Refers to patterns observed across 2014 breaches)
- Complexity: Low to Medium (Attackers reuse "tried and tested" exploits)
- Attack Vector: Various, including network-based vectors leveraged successful server misconfigurations.
## Impact
- Confidentiality: High potential impact revealed by successful breaches.
- Integrity: High potential impact revealed by successful breaches.
- Availability: Mentioned indirectly via the general risk of damaging attacks.
## Remediation
### Patches
- Strategy Recommendation: Organizations must employ a "well-thought-out patching strategy." (No specific patch versions provided as the source discusses historical trends.)
### Workarounds
- Security Tactics: Organizations are advised to employ "fundamental security tactics to address known vulnerabilities."
- Layered Security Defenses.
- Regular Penetration Testing.
## Detection
- Detection methods/tools: Not explicitly detailed, but implied need for better vulnerability scanning and threat intelligence.
- Indicators of Compromise: Not applicable based on source.
## References
- Vendor Advisories: HP Cyber Risk Report 2015 (http://info.hpenterprisesecurity.com/LP_456590_Cross_CyberriskFullReport_0115_gate?src=pressrelease)
- Relevant links:
- TechWeek Europe Article (defanged): hxxp://www.techweekeurope.co.uk/security/cyberwar/hp-cyber-risk-security-report-162818
- IT Pro Portal Article (defanged): hxxp://www.itproportal.com/2015/02/24/report-finds-decades-old-security-threats-still-largest-threats/
- ESET IoT Article (defanged): hxxps://www.welivesecurity.com/2015/02/16/internet-things-security-timebomb/