author photo
By Bruce Sussman
Mon | Apr 23, 2018 | 1:56 PM PDT

When a new exploit or vulnerability is revealed, it typically takes attackers just 24 hours to weaponize it and attempt to use it against the U.S. Department of Defense.

The same is true when a known vulnerability works in the private sector. The next target is often the government.

This is according to CyberScoop in a report on an RSAC 2018 talk by David Hogue, a senior technical director for the National Security Agency's Cybersecurity Threat Operations Center (NCTOC).

Within a day of the Equifax breach, Hogue said, attackers scanned the Department of Defense network for the same unpatched Apache Struts vulnerability that worked at the credit reporting agency.   

Most hacks still happening from poor cyber hygiene

Hogue also says it is the known issues that cause the most cyber trouble. “At NSA we have not responded to an intrusion response that’s used a zero-day vulnerability in over 24 months,” he said. “The majority of incidents we see are a result of hardware and software updates that are not applying.”

This is right in line with what Dr. Larry Ponemon has told us at our SecureWorld cybersecurity conferences, based on his research.

A recent study Ponemon did on behalf of ServiceNow revealed that 59% of InfoSec leaders who reported a breach said the breach happened because of an unpatched vulnerability. And we're talking about a vulnerability where the patch was already widely pushed out and available.

Speaking of Larry Ponemon, here's how he got started in research, in his own words: