back to article Psst, hackers. Just go for the known vulnerabilities

Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old. Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the …

  1. Voland's right hand Silver badge

    The biggest vulnerability

    It is called PEBKAC

    1. chivo243 Silver badge

      Re: The biggest vulnerability

      Add to the list, the Jr admin who discovered dcpromo... I would hope PEBKAC refers to the (l)users. But on second thought....

      1. Anonymous Coward
        Anonymous Coward

        Re: The biggest vulnerability

        Not just Jr Admins. There are Sr Admins and even System Architects out there who know better but cut corners. Sometimes the decisions are mostly out of their hands (CxOs who won't cough up the bucks or demand that vendors fix known problems in must use software), other times it's not (default root passwords left unchanged for 5+ years, too simple passwords on administrative level accounts so everyone can remember and use it).

  2. asdf

    Reactive only management

    > organisations must employ fundamental security tactics to address known vulnerabilities

    I.E. spend money and hire competent people which is why they can just store this report, change the date and release it next year with very little changed.

    1. gollux

      Re: Reactive only management

      What I'm coming to realize over a lifetime is that there aren't that many competent people on the planet. A lot of the population who think they're intelligent, are merely clever. Competence and management are two words that often don't ever match.

      1. Anonymous Coward
        Anonymous Coward

        Re: Reactive only management

        It's the Dunning-Kruger effect.

    2. Anonymous Coward
      Anonymous Coward

      Re: Reactive only management

      Nah they would rather hire a bunch of H1B's with no true skills because they cost less. Until they get smashed all red faced that one competent person they have left discovers these people left some huge holes letting the whole world in, but hey they were cheap am I right?

      1. Dave_94302

        Re: Reactive only management

        You are correct.

  3. amanfromMars 1 Silver badge

    The Flip side of the COIN coin

    Discover a new and virtually unknown vulnerability or exercise a more sophisticated and quite exclusive capability, and one can earn billions rather than settling for peanuts ......

  4. Anonymous Coward
    Anonymous Coward

    You mean like the HP ilo vulnerability

    IPMI cipher 0. Nuff said.

  5. Canecutter

    I must be a magnitude 10 heretic

    HP says,

    "Threats can be minimised with a well-thought-out patching strategy, regular penetration testing, layered security defences, threat intelligence sharing and a strategy for introducing new technologies."

    That all sounds like locking the stables after the proverbial horse has already bolted.

    As necessary as the items in the above list from HP are, they seem to be rather studiously ignoring the real first line of threat minimization.

    How about suggesting that people run good code. Isn't it far better to write good code rather than install and patch?

    It is easier to build the system secure (or correct) than to try to retrofit security onto a deployed system.

  6. Bump in the night

    We're all doomed

    So . . . despite endless discussions about what to do about security and no can do it well, no one is smart enough to do it well, no one's operating system is any good, no one gets paid enough to do it well and the dumbest person behind the keyboard can mess it up anyway in a blink of an eye.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like