Security News > 2022 > April > Skeletons in the Closet: Security 101 Takes a Backseat to 0-days
Microsoft, Google, Apple and others frequently release fixes for vulnerabilities "Under active attack." Vulnerabilities in Log4j, or the myriad of network device flaws discovered in the last three years against F5, Citrix, Palo Alto and SonicWall, consume news cycles because the affected systems are used in large corporate infrastructure.
The risk of untrusted USB sticks has been around for over a decade - it was likely the infection vector for the Stuxnet attacks in Iran in 2010 - and it is widely understood as a "Security 101" concept, but attackers wouldn't continue to use these techniques if they didn't work.
As we move further inside a network - from the eyes of an attacker, that is - many security practices from 20+ years ago are commonly ignored.
Attackers don't need to use zero days when organizations aren't keeping up with their patching.
On January 21, CISA added CVE-2006-1547: 16 years after the vulnerability was found, it's still being used by attackers.
There will never be a solution which holistically solves security in every environment, and security teams must be both capable AND empowered to perform the appropriate remediation steps, regardless of the attack vector.
News URL
https://threatpost.com/security-101-takes-a-backseat-to-0-days/179374/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2006-03-30 | CVE-2006-1547 | Remote vulnerability in Apache Struts ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. | 7.8 |