Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2/20/2018
09:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Vulnerabilities Broke Records Yet Again in 2017

Meanwhile, organizations still struggle to manage remediation.

Last year was another one for the record books when it came to software vulnerabilities: published security flaws jumped by 31% in 2017.

The number shot up to 20,832 for the year, with nearly 40% of them with CVSSv2 severity scores of 7.0 and higher, according to new data from Risk Based Security.

"Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures," said Brian Martin, vice president of vulnerability intelligence for Risk Based Security, which published its findings last week in a new report. "The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches."

Forrester analyst Josh Zelonis says ineffective vulnerability management is one of the top five concerns security and risk professionals should be focusing on for 2018. Forrester's 2017 global security survey showed that software vulnerabilities played a hand in 41% of external data breaches last year.

Last year's massive WannaCry and NotPetya outbreaks following the patching of the vulnerability exploited by the EternalBlue zero-day offers an illuminating example of how important it is for organizations to more rapidly close their vulnerability windows, according to Zelonis.

"While remediation was listed as 'critical' by Microsoft, these attacks created global damage months after patch availability," Zelonis explained in a recent report.

He detailed the fact that WannaCry wreaked havoc on 300,000 systems 60 days after the patch was released, and 30 days later NotPetya started another round of mayhem that caused serious damage worldwide. For example, he cited losses at pharmaceutical company Merck & Co totaling over $270 million as a result of NotPetya.

"Organizations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible," says Tim Erlin, vice president of product management and strategy for Tripwire. "Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data."

Last month, a Tripwire survey found that almost a quarter of enterprises still take a month or longer to remediate known vulnerabilities in their systems. What's more, 51% of organizations admit that fewer than half of their systems are automatically discoverable by vulnerability scanning tools - meaning that more that remediation teams may not even know whether or not more than half of systems are susceptible to a known vulnerability at any given time.

Meantime, the number of new vulnerabilities and their severity continues to mushroom. Organizations' vulnerability management practices may also be suffering from a visibility gap when it comes to new vulnerabilities coming down the pike, according to Risk Based Security. The firm said that it published over 7,900 more vulnerabilities than those catalogued by the more widely used MITRE Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD).

Visibility gaps notwithstanding, many CISOs may first need to straighten out the procedures in place to remediate once they receive reports of vulnerabilities, no matter the source of that intelligence. 

"The sad truth is that vulnerability management programs have either no or extremely limited ability to actively correct the flaws that they find," explained Mike Convertino, CISO for F5 Networks, in a recent commentary piece for Dark Reading. "Even when completely accurate vulnerability scans are delivered, there aren't enough people to patch or correct the systems in a timeframe that is relevant to prevent attack."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17552
PUBLISHED: 2019-10-14
An issue was discovered in idreamsoft iCMS v7.0.14. There is a spider_project.admincp.php SQL injection vulnerability in the 'upload spider project scheme' feature via a two-dimensional payload.
CVE-2019-17553
PUBLISHED: 2019-10-14
An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection via the admin/?n=tags&c=index&a=doSaveTags URI.
CVE-2019-17408
PUBLISHED: 2019-10-14
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.