2018 Remediation Vulnerability Risk Management Report
In NopSec’s 2018 Remediation Vulnerability Risk Management Report, we look at the latest trends in cybersecurity and vulnerability risk management over the last 12 months. The report shows that prioritizing vulnerabilities based solely on the Common Vulnerability Scoring System (CVSS) score isn’t always appropriate.
We found a surprisingly high portion of vulnerabilities incorporated into malware or exploit kits that are ranked low or medium severity. That means focusing only on high-severity vulnerabilities or setting a ‘cut-off’ point for lower-scoring issues is not a safe or effective strategy. In addition to the CVSS, we look at a range of other factors that can be used as better indicators of potential risk, including machine learning in cybersecurity, natural language processing, and social media trends.
Learn more about our assessment of the state of vulnerability risk management in 2018.
Key Findings from 2018:
Some of the major takeaways of the report include:
- Approximately 21% of published Common Vulnerabilities and Exposures (CVEs) have associated exploit code in the Exploit Database alone. However, only 1.6% have associated Metasploit modules. Less than 2% (1.92%) have been linked to malware. Roughly 95% of vulnerabilities ranked as high have never been linked to malware seen in the wild.
- 44% of CVEs associated with malware were scored as medium or low on the CVSS scale, suggesting that focusing solely on CVEs with high scores (7+) would be a mistake.
- Furthermore, the language used in CVE descriptions lends clues to the fate of vulnerabilities. For example, approximately half of all descriptions of vulnerabilities linked to malware include the words “allows remote.”
- Vendors most likely to be associated with malware vary significantly, depending on whether all CVE data is taken into consideration, or just the last 18 months’ worth. For example, OpenSSL is most commonly associated with malware when considering all CVEs, whereas Canonical (Ubuntu) takes the top spot when considering only recently published CVEs.
- Only half of the Top 20 vulnerabilities derived from NopSec client data can be fixed with a patch. The remainder represents configuration issues to be fixed or insecure cryptographic algorithms or protocols to be disabled.
- Microsoft is the biggest source of vulnerabilities for Financial Services organizations. Healthcare, however, has more to worry about from BSD and Linux. All industries have a significant number of Oracle vulnerabilities.
This shows that simply relying on an asset’s CVSS score may not be enough when assessing vulnerability. Just because the vulnerability receives a high score doesn’t mean it’s the most pressing. Medium and low-rated threats can also be linked to malware. Companies should consider all CVE data for vulnerability prioritization, including more than just the last 18 months’ worth. They should also learn to look for clues in the language that may indicate possible security issues going forward.
Trends in Cybercrime for 2018:
We saw a slew of newly discovered vulnerabilities over the last 12 months, including new tactics designed to trick users and administrators into releasing sensitive information.
Cryptojacking was previously associated with illegal torrents and the shadier parts of the internet, such as those for adult entertainment, but the term is now breaking into the mainstream. During this type of attack, the hacker will infiltrate a person’s mobile device or computer and then use it to mine cryptocurrency. Hackers are seizing low-hanging fruit that may not have as much protection as regular assets, including the Internet of Things, mobile devices, and serverless applications.
Leaked, military-grade exploits are also finding their way into mass-market attacks. The NSA’s EternalBlue exploit may still offer some protection, but hackers are using more sophisticated means to target their victims. This is on top of the usual suspects, including malware, phishing attacks, and distributed denial of service (DDoS) attacks.
We also found that vulnerability remediation management varies greatly from one country to the next. Risk now varies based on the user’s geographic location.
Most large nations have their own version of the National Vulnerability Database (NVD), which is known as the country’s authoritative record for new vulnerabilities. In the U.S., the NVD is managed by the National Institute of Standards and Technology. However, information is not equally populated across all NVDs. For example, China’s NVD (CNNVD) typically adds new vulnerabilities in 12 days from initial reporting, whereas NVD takes on average 27 days from initial reporting to appearing in the NVD, but both NVDs are getting faster at updating vulnerabilities. The main difference lies in how these vulnerabilities are reported.
For example, the NVD relies on voluntary vendor reporting, whereas the CNNVD uses web reporting, so when a vulnerability is first announced, it is added to the CNNVD.
The Russian NVD, known as the BDU, lags further behind both the United States and China. Where the United States has almost 108,000 vulnerabilities in its NVD, the BDU only has a little more than 11,000, roughly 10% of the vulnerabilities reported in the United States. The BDU only adds new vulnerabilities every 83 days.
Learning more about how vulnerabilities are identified and categorized can help companies improve vulnerability remediation management. Simply relying on a set CVE score may not be enough unless the company understands the full context of this score and whether it should be taken at face value.
Vulnerability remediation management continues to evolve with every passing year, and 2018 was nothing short of brutal. In addition to targeting and highlighting potential vulnerabilities, companies also need to focus on the remediation process, so they can patch the system before it gets breached.
Download the full 2018 Remediation Vulnerability Risk Management Report from NopSec to learn more about how vulnerability prioritization software has changed over the last 12 months and where we expect it to go from here.