It was revealed by a Bet Defender survey of 2020 business threats

64% of corporate security risks are "forgotten holes" that can be resolved

The vulnerabilities turned into a free golden opportunity for professional internet hackers.

■ Getty Images

Information security experts revealed that 64% of the existing security risks in institutions and companies are due to "forgotten security flaws" for which security solutions and corrections were available, at a time when institutions and companies failed to install their security updates and left them as they are, which made them turn into a source Great risk is coming to companies, and a free golden opportunity for professional internet hackers.

Experts said that most of these loopholes date back to 2018 and previous years, and a few have existed since 2002 with entities that still operate outdated systems.

The talk about the phenomenon of "forgotten security vulnerabilities" came in the context of the results of an extensive field survey conducted by a team of information security experts affiliated with the "Bitdefender" organization specialized in producing information security solutions and systems. », Was published in full on the third of November on the news section of the institution’s website bitdefender.com/ files / News, and dealt with various security situations and threats in the“ new normal ”against the background of the implications of the new Corona virus.

Weaknesses

Experts stated that the vast majority of organizations still suffer from uncorrected vulnerabilities that were identified anywhere between 2002 and 2018, as 64% of all reported security vulnerabilities that were not fixed during the first half of 2020 were proven to contain known errors. It goes back to 2018 and previous years, which means that organizations are at risk of defects that someone should have fixed a long time ago.

They added that 36.37% of the security vulnerabilities that were reported that were not fixed during the first half of 2020 include CIVS vulnerabilities that were discovered in 2019 for remote businesses, while 88.39% of them contain vulnerabilities. A security that has not been fixed in the products and services of «Microsoft of America».

The survey revealed that the old forgotten vulnerabilities are the biggest security challenges facing institutions, even if there is no awareness of them, as it was found that 60% of the breaches during the year 2019 occurred due to vulnerabilities that have not been fixed despite the availability of appropriate solutions and updates.

It was also found that 62% of institutions did not know that they were at risk due to old forgotten vulnerabilities, except after the occurrence and success of the hack, and that 52% of them had a manual correction procedure, instead of the automatic automatic procedure based on periodic update.

Accidents 2020

As for the security incidents that occurred in 2020, it was found that 63.6% of them are security vulnerabilities of the "CIVS" category, and it was found that 36.37% of the incidents that occurred during 2020 were from the category of violent incidents in 2019, and they were available. Solutions that have not been implemented and implemented, and that these vulnerabilities exist in the Mozilla Firefox browser, and the various Microsoft services for which security patches have been distributed in 2019, 2018, 2017 and 2016.

The team said that a large group of versions of "Microsoft" and "Mozilla" are usually published in most work environments, which explains why attackers focus on these versions and products mainly, although this did not prevent discovering the same problem with products other than "Microsoft" And Mozilla, as security flaws were detected in 1.77% of the copies of the "Oracle Box" virtual software package, 1.11% of the copies of the "Media Player" (VLC) package, and 0.24% of the copies of the "Tut" program. IPad ”for text editing, and the same problem appeared in asset management and identity management (IAM) systems, archiving systems, network analysis tools commonly used by information technology and security teams, databases such as Mongo, and many other popular commercial systems and applications.

Two high-risk vulnerabilities

The survey showed that during May 2020, the attacks focused on a security vulnerability known as "CVE-2019-1174619", which was classified by experts as the most high-risk security vulnerabilities that were not corrected in 2019 in a Mozilla product that can be exploited in Browser-like contexts, including manipulation of video elements that may cause exploitable downtime.

During the same month, attacks were paid on another security vulnerability, high-risk CVE-2019-054120 in a Microsoft product, affecting both the Office software package, the Internet Explorer browser, and the Office 365 service. Cloud, and could allow attackers to take control of computer operating systems, if the user logged in with the user's administrative rights.