Vulnerabilities / Threats //

Vulnerability Management

2/20/2018
09:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Vulnerabilities Broke Records Yet Again in 2017

Meanwhile, organizations still struggle to manage remediation.

Last year was another one for the record books when it came to software vulnerabilities: published security flaws jumped by 31% in 2017.

The number shot up to 20,832 for the year, with nearly 40% of them with CVSSv2 severity scores of 7.0 and higher, according to new data from Risk Based Security.

"Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures," said Brian Martin, vice president of vulnerability intelligence for Risk Based Security, which published its findings last week in a new report. "The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches."

Forrester analyst Josh Zelonis says ineffective vulnerability management is one of the top five concerns security and risk professionals should be focusing on for 2018. Forrester's 2017 global security survey showed that software vulnerabilities played a hand in 41% of external data breaches last year.

Last year's massive WannaCry and NotPetya outbreaks following the patching of the vulnerability exploited by the EternalBlue zero-day offers an illuminating example of how important it is for organizations to more rapidly close their vulnerability windows, according to Zelonis.

"While remediation was listed as 'critical' by Microsoft, these attacks created global damage months after patch availability," Zelonis explained in a recent report.

He detailed the fact that WannaCry wreaked havoc on 300,000 systems 60 days after the patch was released, and 30 days later NotPetya started another round of mayhem that caused serious damage worldwide. For example, he cited losses at pharmaceutical company Merck & Co totaling over $270 million as a result of NotPetya.

"Organizations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible," says Tim Erlin, vice president of product management and strategy for Tripwire. "Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data."

Last month, a Tripwire survey found that almost a quarter of enterprises still take a month or longer to remediate known vulnerabilities in their systems. What's more, 51% of organizations admit that fewer than half of their systems are automatically discoverable by vulnerability scanning tools - meaning that more that remediation teams may not even know whether or not more than half of systems are susceptible to a known vulnerability at any given time.

Meantime, the number of new vulnerabilities and their severity continues to mushroom. Organizations' vulnerability management practices may also be suffering from a visibility gap when it comes to new vulnerabilities coming down the pike, according to Risk Based Security. The firm said that it published over 7,900 more vulnerabilities than those catalogued by the more widely used MITRE Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD).

Visibility gaps notwithstanding, many CISOs may first need to straighten out the procedures in place to remediate once they receive reports of vulnerabilities, no matter the source of that intelligence. 

"The sad truth is that vulnerability management programs have either no or extremely limited ability to actively correct the flaws that they find," explained Mike Convertino, CISO for F5 Networks, in a recent commentary piece for Dark Reading. "Even when completely accurate vulnerability scans are delivered, there aren't enough people to patch or correct the systems in a timeframe that is relevant to prevent attack."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12633
PUBLISHED: 2018-06-22
An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (...
CVE-2018-12634
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
CVE-2018-12635
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to the html/upgrade.html and services/system/firmware.upgrade URIs.
CVE-2018-12630
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
CVE-2018-12631
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.