The impact of legacy vulnerabilities in today's cybersecurity landscape

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

The digital revolution has irrevocably transformed how we live, work, and interact - and has driven data protection and cybersecurity to the forefront of business concern. With this interconnectedness comes an increasingly large attack surface for malicious actors to target. The temptation for businesses looking to combat these threats is to focus resources, effort and attention to the headlines related to the ‘unknown’ - AI, novel, zero-day cyber threats that haven’t yet been extensively studied or successfully combated in the wild.

Naturally, for many security teams, identifying and mitigating against these threats, particularly in the era of AI, will take an absolute priority, with concern about the scale of financial damage and operational impact they can cause. However, for small to medium businesses (SMBs), the exploitation of known vulnerabilities - sometimes ones that are several years old - still represents a key cybersecurity challenge. In short, vulnerabilities are weaknesses in systems, applications, processes, and even human behavior that attackers can exploit to gain unauthorized access, steal sensitive data, or disrupt operations. 

These vulnerabilities come in many forms. Programming errors and software flaws can create openings for attackers to inject malicious code or bypass security controls. Improperly configured systems or devices leave them exposed to unauthorized access or manipulation. Weak passwords, the bane of cybersecurity professionals everywhere, are easily cracked or stolen, granting attackers access to accounts and networks. Deceptive tactics, known as social engineering can trick users into revealing sensitive information or clicking on malicious links.

The consequences of exploited vulnerabilities can be devastating. Data breaches expose sensitive customer information, intellectual property, or financial records, leading to financial losses, reputational damage, and even legal and legislative repercussions. Ransomware attacks, a growing scourge, encrypt critical data, paralyzing operations until hefty ransoms are paid. Disruptions caused by cyberattacks can cost companies millions of dollars and significantly erode consumer trust.

Douglas McKee

Executive Director of Threat Research, SonicWall.

The vulnerability landscape - older methods still dominate

Of course, it remains necessary to dedicate resources and time to the identification and mitigation of novel threats, however, new data confirms that existing vulnerabilities still represent one of the most significant cybersecurity challenges facing SMBs. SonicWall’s Intrusion Prevention System (IPS) data from January 2022 to March 2024 reveals the following top 5 most widespread networking attacks targeting small businesses:

  • Log4j (CVE-2021-44228) (43%) 
  • Fortinet SSL VPN CVE-2018-13379 (35%) 
  • Heartbleed (CVE-2014-0160 ) (35%) 
  • Atlassian CVE-2021-26085 (32%) 
  • Vmware CVE-2021-21975 (28%)

Of the top five most widely used network attacks against SMBs, the ‘newest’ vulnerability represented were nearly three years old, while the oldest were over a decade old - which is primitive when considering the modern threat environment. The results are a clear reminder for CISOs and cybersecurity leaders that they must assess organizational threats based on their own current threat landscape, and specifically the main cybersecurity risks facing their organizations - rather than getting swept up in the latest media buzz.

Given the level of knowledge, and the widespread availability of patches available, this tactic may come as a surprise to security teams. However, there are several factors which continue to make the exploitation of known vulnerabilities valuable for attackers. It’s often the case that cybercriminals seek to take the path of least resistance when carrying out cyberattacks - which means testing known exploits, for which they have developed particularly strong techniques, before moving on to more time intensive and strategically planned intrusions.

For SMBs, particularly those in highly regulated or critical industries, balancing the need for continued function of their existing technology stack, with the financial cost and skills required to patch known vulnerabilities means many of these are left at risk, indefinitely. For SMBs, this makes the use of Managed Service Providers (MSPs), who can apply testing, knowledge, industry leading tools and set up automated patches, particularly attractive.

How can SMBs reduce the risk of known exploits?

The fight against cyber threats is a never-ending exercise. Vulnerabilities emerge constantly, and attackers are relentless in their pursuit of exploiting them - even years after they have first been identified. This underscores the critical nature of staying informed about threats, patching vulnerabilities promptly, and implementing a layered security approach.

For SMBs, building a more secure digital future requires a combination of strong cybersecurity strategy at the leadership level and the intelligent application of MSPs who can employ the gold standard of cybersecurity tools and knowledge, and help reduce the risks posed by known vulnerabilities.

Ultimately, Cybersecurity leaders need to ensure they are sufficiently prioritising threats, and allocating resources and time based specifically on how much risk is facing an organisation. This prioritisation is a key step in ensuring the strongest possible cybersecurity. This requires a fundamental understanding of the specific risk landscape facing each industry, and avoiding being caught up by the latest, most terrifying AI trend.

We've listed the best patch management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Douglas McKee, Executive Director of Threat Research, SonicWall.