Vulnerabilities / Threats //

Vulnerability Management

2/20/2018
09:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Vulnerabilities Broke Records Yet Again in 2017

Meanwhile, organizations still struggle to manage remediation.

Last year was another one for the record books when it came to software vulnerabilities: published security flaws jumped by 31% in 2017.

The number shot up to 20,832 for the year, with nearly 40% of them with CVSSv2 severity scores of 7.0 and higher, according to new data from Risk Based Security.

"Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures," said Brian Martin, vice president of vulnerability intelligence for Risk Based Security, which published its findings last week in a new report. "The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches."

Forrester analyst Josh Zelonis says ineffective vulnerability management is one of the top five concerns security and risk professionals should be focusing on for 2018. Forrester's 2017 global security survey showed that software vulnerabilities played a hand in 41% of external data breaches last year.

Last year's massive WannaCry and NotPetya outbreaks following the patching of the vulnerability exploited by the EternalBlue zero-day offers an illuminating example of how important it is for organizations to more rapidly close their vulnerability windows, according to Zelonis.

"While remediation was listed as 'critical' by Microsoft, these attacks created global damage months after patch availability," Zelonis explained in a recent report.

He detailed the fact that WannaCry wreaked havoc on 300,000 systems 60 days after the patch was released, and 30 days later NotPetya started another round of mayhem that caused serious damage worldwide. For example, he cited losses at pharmaceutical company Merck & Co totaling over $270 million as a result of NotPetya.

"Organizations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible," says Tim Erlin, vice president of product management and strategy for Tripwire. "Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data."

Last month, a Tripwire survey found that almost a quarter of enterprises still take a month or longer to remediate known vulnerabilities in their systems. What's more, 51% of organizations admit that fewer than half of their systems are automatically discoverable by vulnerability scanning tools - meaning that more that remediation teams may not even know whether or not more than half of systems are susceptible to a known vulnerability at any given time.

Meantime, the number of new vulnerabilities and their severity continues to mushroom. Organizations' vulnerability management practices may also be suffering from a visibility gap when it comes to new vulnerabilities coming down the pike, according to Risk Based Security. The firm said that it published over 7,900 more vulnerabilities than those catalogued by the more widely used MITRE Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD).

Visibility gaps notwithstanding, many CISOs may first need to straighten out the procedures in place to remediate once they receive reports of vulnerabilities, no matter the source of that intelligence. 

"The sad truth is that vulnerability management programs have either no or extremely limited ability to actively correct the flaws that they find," explained Mike Convertino, CISO for F5 Networks, in a recent commentary piece for Dark Reading. "Even when completely accurate vulnerability scans are delivered, there aren't enough people to patch or correct the systems in a timeframe that is relevant to prevent attack."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Who Takes Responsibility for Cyberattacks in the Cloud?
Kelly Sheridan, Staff Editor, Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: On the SS7 network, nobody knows you're a dog.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18812
PUBLISHED: 2019-01-16
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the S...
CVE-2018-18813
PUBLISHED: 2019-01-16
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire...
CVE-2018-18814
PUBLISHED: 2019-01-16
The TIBCO Spotfire authentication component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability in the handling of the authentication that theoretically may allow an attacker to gain full access to a target account, indep...
CVE-2018-5740
PUBLISHED: 2019-01-16
"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is i...
CVE-2018-5741
PUBLISHED: 2019-01-16
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update ...