Medium risk and lower risk flaws are being used more by hackers to penetrate enterprise networks, due to firms taking longer to patch them.
Security experts have warned businesses that hackers are moving their focus on flaws designated as high risk by software vendors to flaws normally seen as lower risks.
Lloyds of London chief information security officer Marcus Alldrick said, " they’re not going for the normal high risk flaws, they’re going for the medium risk ones. In the patch management cycle, the medium risk flaws [considered lower risk] are been patched later."
That delay in patching is also being exacerbated by hackers combining the lower risk flaws to create so-called blended threats, explained BT global head of business continuity, security & governance practice Ray Stanton.
By combining two lower risk flaws, hackers can cause high risk threats to an organisation.
Stanton agreed with Alldrick adding, "although individually a lot of those low or medium threats may not pose a great risk, when you connect them together, it gives the opportunity to use ‘blended’ threats."