Most vulnerabilities on enterprise networks are two years old

The NTT Innovation Institute and NTT Group security combined an analysis of over six billion attacks observed in 2014 with an interactive data review and ongoing daily global threat visualization.

During 2014, 76% of identified vulnerabilities throughout all systems in the enterprise were more than 2 years old, and almost 9% of them were over 10 years old
When vulnerabilities of medium risk in the Common Vulnerability Scoring System (CVSS) of 4.0 or higher are considered this highlights that even widespread scares such as Heartbleed and Shellshock have little long term effect on corporate risk management process and companies are still not effective at shedding their legacy vulnerabilities.

Andreas Lindh, Senior Security Analyst at Coresec Systems, believes that some of the listed vulnerabilities are not necessarily a sign of bad vulnerability management but just old, outdated software versions. “An example is the top external vulnerability – “outdated PHP version”. PHP has had a number of pretty serious vulnerabilities over the last few years, but most of them have been in PHP functions. It could be that the organizations running old PHP versions have scanned their code for use of the vulnerable functions but haven’t found any, in which case the old version does not pose any immediate security risk,” according to Lindh.

Across the world, an astounding 56% of attacks against the NTT global client base originated from IP addresses within the United States
However, this is not due to the attackers being within the United States, but rather represents threat actors leveraging cheap cloud or vulnerable infrastructure within the US as an intermediary. This benefited the attacker by often being closer to their target and from more trusted geolocation.

Of the vulnerabilities discovered across enterprises worldwide, 17 of the top 20 exposed vulnerabilities resided within user systems and not on servers
This risk represents a return to some of the roots of information security. The users and their wide range of mobile laptops are once again representing a return of risk that has largely been only lightly addressed by many organizations.


Threats against the end user are higher than ever, attacks show a clear and continuing shift towards success in compromising the end point
During every week of 2014, there was a measureable drop in detected attacks on weekends and holidays when workers were not in the office. On weekends and holidays, the workers are not in the office and end-user systems are either turned off, or not being used. This major drop in weekend attacks demonstrates that organizational controls are detecting security events related to end users.

DDoS attacks changed in nature with a massive shift towards amplification attacks using UDP protocols and this accounted for 63% of all DDoS attacks observed by NTT Group
NTP, SSDP and DNS were used in the vast majority of all DDoS attacks. Many of these attacks come from subverting exposed services in consumer based services (such as home Internet routers) to create DDOS traffic.

Attacks against Business & Professional Services increased from 9% to 15%
The attacks increased by more than 50% year on year and are the result of the risks inherited through business-to-business relationships. The likely implication is that this sector is generally softer, but high value targets for attackers.