Last year was another one for the record books when it came to software vulnerabilities: published security flaws jumped by 31% in 2017.
The number shot up to 20,832 for the year, with nearly 40% of them with CVSSv2 severity scores of 7.0 and higher, according to new data from Risk Based Security.
"Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures," said Brian Martin, vice president of vulnerability intelligence for Risk Based Security, which published its findings last week in a new report. "The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches."
Forrester analyst Josh Zelonis says ineffective vulnerability management is one of the top five concerns security and risk professionals should be focusing on for 2018. Forrester's 2017 global security survey showed that software vulnerabilities played a hand in 41% of external data breaches last year.
Last year's massive WannaCry and NotPetya outbreaks following the patching of the vulnerability exploited by the EternalBlue zero-day offers an illuminating example of how important it is for organizations to more rapidly close their vulnerability windows, according to Zelonis.
"While remediation was listed as 'critical' by Microsoft, these attacks created global damage months after patch availability," Zelonis explained in a recent report.
He detailed the fact that WannaCry wreaked havoc on 300,000 systems 60 days after the patch was released, and 30 days later NotPetya started another round of mayhem that caused serious damage worldwide. For example, he cited losses at pharmaceutical company Merck & Co totaling over $270 million as a result of NotPetya.
"Organizations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible," says Tim Erlin, vice president of product management and strategy for Tripwire. "Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data."
Last month, a Tripwire survey found that almost a quarter of enterprises still take a month or longer to remediate known vulnerabilities in their systems. What's more, 51% of organizations admit that fewer than half of their systems are automatically discoverable by vulnerability scanning tools - meaning that more that remediation teams may not even know whether or not more than half of systems are susceptible to a known vulnerability at any given time.
Meantime, the number of new vulnerabilities and their severity continues to mushroom. Organizations' vulnerability management practices may also be suffering from a visibility gap when it comes to new vulnerabilities coming down the pike, according to Risk Based Security. The firm said that it published over 7,900 more vulnerabilities than those catalogued by the more widely used MITRE Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD).
Visibility gaps notwithstanding, many CISOs may first need to straighten out the procedures in place to remediate once they receive reports of vulnerabilities, no matter the source of that intelligence.
"The sad truth is that vulnerability management programs have either no or extremely limited ability to actively correct the flaws that they find," explained Mike Convertino, CISO for F5 Networks, in a recent commentary piece for Dark Reading. "Even when completely accurate vulnerability scans are delivered, there aren't enough people to patch or correct the systems in a timeframe that is relevant to prevent attack."
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio