But even if those systems are known risks, they can still give attackers a toe-hold within an organization, said Seitz. “You're only going to break into infrastructure one of two ways: either they haven't patched something, or you're going to burn a zero day,” he said, referring to a previously undiscovered security hole. The former scenario is far more likely than the latter, Seitz said.
Eric Baize, the Senior Director of the Product Security Office at EMC Corp. said that exploitable vulnerabilities in common software like Windows, Adobe's Reader and Java are the unlocked doors and windows of corporate security: even sophisticated cyber attackers will look for them first, before moving on to more sophisticated breaking and entering strategies - such as spear phishing attacks or zero day vulnerabilities.
Putting sophisticated hackers aside, having systems on your network vulnerable to aged and well-worn exploits also makes your organization a target to the much larger population of opportunistic attackers, as well, said Matt Dean, the chief operating officer at the security firm Firemon. “Many of the attacks we see are more about (attackers) finding things that can be exploited, and that they know how to exploit than they are about targeting a specific company,” he said.
No easy fix
In the final analysis, our experts say that the steady improvement in the security of Windows is great news - but may not do much to improve the overall security of organizations. That's especially true if attackers can continue to rely on vulnerable legacy systems, or move to other targets of opportunity.
Dean, of Firemon, said that organizations have to deny attackers easy and powerful attacks, such as those enabled by MS08-067 and other common security holes, even if they lurk on systems that seem isolated or low-risk. “You've got to really worry about vulnerabilities in remote access protocols like RPC, SSH, Telnet and FTP - anything that will give you remote control of a system,” he said.
Seitz of Immunity said that web-based application servers are a common point of entry, as well, using SQL injection attacks that grant them access to back end database servers. From there, attackers can often move deeper into a network, Seitz said.
And, in the age of ‘advanced persistent threats,' organizations need to consider those alternative attack methods, and think bigger than just “patching” and malware detection, says Baize of EMC. Companies need to develop secure processes that include patching, network monitoring, endpoint configuration management and other IT controls.