Security experts warn firms of the higher risks of lower-risk flaws

Medium- and lower-risk flaws are being used more by hackers to penetrate enterprise networks, due to firms taking longer to patch them

Lower risk flaws pose higher risk for enterprises

Security experts have warned businesses that hackers are moving their focus from flaws designated as high risk by software vendors to flaws normally seen as lower risks.

Lloyd's of London chief information security officer Marcus Alldrick said, " [Hackers] are not going for the normal high risk flaws, they're going for the medium risk ones. In the patch management cycle, the medium risk flaws are being patched later."

That delay in patching is also being exacerbated by hackers combining the lower-risk flaws to create so-called blended threats, explained BT global head of business continuity, security & governance practice Ray Stanton.

By combining two lower-risk flaws, hackers can cause high-risk threats to an organisation.

Stanton agreed with Alldrick adding, "Although individually a lot of those low or medium threats may not pose a great risk, when you connect them together, it gives the opportunity to use 'blended' threats."

BT's Stanton said he had teams working on how hackers exploit threats like these. "Other teams like IBM's X-Force are doing the same, looking for disparate lower-risk flaws to bring together – you're not looking for easy options – they're called 'slow and mean' attacks."

Asked how firms should proceed against these threats, Lloyd's of London's Alldrick said, "We can't just concentrate on the protective aspects of our controls, we have to look at the detective aspects as well – and that means more monitoring, and being more agile in applying the corrective fixes."

Bernt Ostergaard, senior research director at market research company Current Analysis, said that although the number of security flaws was down in 2009 compared with 2008, "this is due to [organised hackers] becoming much more targeted and much more vicious – they're getting better at targeting where the money is."

Ostergaard also pointed out that "the traditional anti-malware fighters
trying to address these threats, like the F-Secures and the McAfees, just can't
keep up."