5 Times a Vulnerability Broke Your Heart
Share with Your Network
Just before Valentine’s Day 2019, users of Coffee Meets Bagel (one of the many platforms that emerged during the early years of online dating) were notified of an apparent data breach that took place two years prior. That isn’t the only matchmaking site to get hit by bad actors. Infiltrations of sites like Tinder grow increasingly likely thanks to the popularity of people looking for love in lockdown. Is nothing sacred?
Cybersecurity is a battlefield
Cybercriminals play a dangerous game, and it’s a game that knows no mercy. And you know all too well the challenge of fighting on the front lines of the threat landscape. You pour your heart and soul into remediating CVEs to drive down your business risk. With so much invested, it’s only natural you’d be vulnerable to cyber heartbreak now and then.
During this month of love, we’re looking back at five of the most notorious vulnerabilities whose havoc left a trail of tears (and probably a fair share of empty ice cream cartons) in their wake.
1. WannaCry (MS17-010). Speaking of tears, this vulnerability caused a wave of upset in 2017 when more than 230,000 computers in 150 countries were hit in a single day. A unique strain of worm-like malware combined with EternalBlue (another name that sends us into a fit of angst), WannaCry quickly stalked its way to the top of fix lists around the globe. Lots of noise and headlines sent teams in a tizzy to remediate this virus as it attacked vulnerable Windows operating systems.
Amid the frenzy, Ed Bellis turned to the data to assuage fears and remind security leaders why they have risk-based prioritization in place.
2. Heartbleed (CVE-2014-0160). This celebrity vulnerability made its debut in 2014 and allowed hackers to read the memory of systems protected by vulnerable versions of the OpenSSL software. At its peak, it was estimated to have affected somewhere between 30-70% of the internet. Talk about twisting the knife.
Aside from the sweeping attacks, Heartbleed is remembered for two reasons: it was the first vulnerability with a logo (and not a bad one at that), and it was an early glimpse into the flaws of the Common Vulnerability Scoring System (CVSS). Even with clear indications of its volatility, CVSS assigned Heartbleed a score of 5 out of 10, failing to account for its ease of exploit, massive attack surface, and available exploit code. (Kenna Security, like a reliable significant other, took all that into account and gave this CVE the risk score it deserved: 96.8 out of 100.)
3. BlueKeep (CVE-2019-0708). What feels like a lifetime ago (in 2019), BlueKeep rose to prominence affecting the commonly used Microsoft Remote Desktop Protocol (RDP). BlueKeep is a great example of the dynamic nature of vulnerabilities—and the necessity of data-driven, predictive risk scoring. Initially debuting with a Kenna risk score of 36.06, Kenna’s algorithm quickly assessed the rising severity and likelihood of exploit and adjusted its risk score accordingly, eventually topping the charts at 100.
Learn more about how this vulnerability unfolded over a short period of time, and how Kenna Security was able to accurately predict it would be weaponized.
4. Shellshock (CVE-2014-6271). 2014 was a banner year for cyber heartache. Shellshock (aka Bashdoor) is a 30-year-old vuln that broke out onto the security scene in the mid-2010s as a remote code execution vuln leveraging Bash as a way for an attacker to gain control over a targeted computer. And because of its simplicity and low execution cost, it’s still causing trouble to this day though on a much smaller scale.
And while Shellshock also has a logo, it’s not nearly as cool as Heartbleed’s. Longevity can’t make up for poor branding. So do yourself a favor: Fix it and forget it.
5. Meltdown (CVE-2017-5754). 2018 kicked off with the announcement of a vulnerability attacking hardware design flaws. Meltdown is an example of a transient execution attack allowing a process to read all memory in a given system. While headlines often tried to turn Meltdown and Spectre into a couple (CVE-2017-5753, CVE-2017-5715), there really wasn’t any chemistry there. The only commonality between these two is the utilization of transient execution.
Thanks to the relative difficulty of execution coupled with swift responses within the industry, major meltdowns were avoided. Ed Bellis leveraged this headline-maker as another opportunity to stress the criticality of risk-based prioritization.
Set yourself straight with risk-based prioritization
It’s easy to get swept up in the heat of the moment. The news comes at you fast, pressure from stakeholders takes hold, and your whole week gets thrown off when the newest vuln is deemed a top priority by intel-lacking resources. This is when risk-based prioritization has your back (and your fix list) to help you keep sight of what really matters.
And if you ever need a reminder of why risk-based vulnerability management won’t stand you up, we’ve got a decade’s worth of insights to set yourself straight.
And if podcasts are more your type, you can also take a walk down vulnerability lane as risk-based pioneers Ed Bellis, Michael Roytman, and Jerry Gamblin unpack 10 years of high-risk vulns in an extra special episode of Security Science.