COMMENTARY: Security teams do a good job at tackling the most well-known threats to their systems, but while they focus on remediating CVEs and other high-profile threats, they may overlook a wide range of equally risky, though unseen, vulnerabilities right under their noses.
Environmental vulnerabilities—such as missing security tools, shadow IT, or out-of-date software—exist throughout IT environments and are increasingly targeted by attackers. They create a landscape of hidden threats beneath the surface of IT environments that teams are responsible for, even if they are unaware of them. Environmental vulnerabilities like underdeployed patch agents also impair an organization’s ability to remediate CVEs.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
While software vulnerabilities like Log4j get attention, environmental vulnerabilities resulting from organizational failures that create a disconnect between IT and security teams present a greater security risk.
Enterprises are rife with hidden vulnerabilities
In its 2024 State of the Cybersecurity Attack Surface report, we discovered that 28% of the 1.2 million enterprise assets studied are missing at least one critical security control. The report also found that:
- 23% of IT assets are not covered by enterprise vulnerability management systems.
- 22% are not covered by patch management solutions.
- 10% are missing endpoint protection.
Considering the hundreds, thousands or hundreds of thousands of assets organizations have, that lack of visibility into an organization’s assets, combined with missing or out-of-date security controls, creates serious security gaps.
CISOs emphasize vulnerability management, but the sheer volume of under-the-radar environmental vulnerabilities—compounded by the lack of visibility—makes it hard to prioritize them, so organizations tend to focus on CVEs.
Using the Common Vulnerabilities and Exposures (CVE) list maintained by MITRE and sponsored by the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), has undoubtedly become important. But attackers have adjusted and are turning their attention to exploiting weaknesses in IT environments.
CISOs already have a lot on their plates, dealing with an increasingly sophisticated and active cyber threat landscape while trying to stay compliant with an array of increasingly strict cybersecurity regulations, such as the Securities and Exchange Commission’s new rules on reporting cyber incidents. And in the wake of high-profile attacks such as SolarWinds, regulators are shifting accountability up the chain, putting CISOs in the crosshairs while also considering the accountability of CIOs and corporate board members.
How environmental vulnerabilities persist
Many organizations are unable to find environmental threats in their IT assets because they don’t have an accurate inventory of IT assets that make up their attack surface or visibility into the deployment of tools and agents. At least two roadblocks stand in the way of uncovering—and even correcting—environmental vulnerabilities:
Legacy IT: Many IT environments are littered with old servers and operating systems, some of which the IT teams didn’t even know they had. In our survey, 6% of all IT assets had reached the end-of-life (EOL) stage, adding to the list of known vulnerabilities that were not patched.
Limited visibility into migrations: Identifying EOL and other vulnerable assets and migrating them to a current OS isn’t always simple. And relying on business units to confirm that vulnerable assets are now entirely running on the latest software can backfire, creating a false sense of security when, in fact, those environmental vulnerabilities persist.
Given these realities, visibility has become essential to eliminating the threats from environmental vulnerabilities, and that starts with a comprehensive asset inventory, including assets that have environmental vulnerabilities.
It’s a critical first step in driving a mature vulnerability management program. An accurate inventory ensures everything has been scanned and that patch agents are fully deployed to patch vulnerable assets across the entire attack surface.
Mature vulnerability management will require other steps like consolidating and prioritizing vulnerabilities, as well as remediating vulnerabilities and validating fixes, but it has to start with comprehensive visibility, which lets companies understand the state of their assets so they can detect when remediation takes place - and more importantly, when it doesn’t.
Teams also need to address the organizational issues that have allowed environmental vulnerabilities to spread. It’s easy to blame vulnerabilities on oversights by the security team, but environmental vulnerabilities grow because of structures within the organization that prevent teams from effectively and efficiently addressing them. Organizations need to align the IT and security teams, while security teams must incorporate tools that deliver visibility and enable cross-department accountability.
Without addressing the organizational as well as technical challenges, environmental vulnerabilities will continue to abound in enterprises, offering easy targets for attackers who know where to find exploitable vulnerabilities in forgotten or overlooked IT assets.
JJ Guy, chief executive officer, Sevco Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.