2020 State of Vulnerability Management Report: CVE List, Vulnerability Detection & More
The state of vulnerability management has changed dramatically over the last few years. NopSec puts out an annual report on the state of asset and vulnerability management to highlight which threats our clients have been facing over the previous 12 months. The report also aims to shed light on areas or gaps in traditional vulnerability management, so companies can implement vulnerability prioritization tools to patch possible vulnerabilities before a breach occurs.
The last year was unlike any other as millions of companies switched to remote work in the face of the COVID-19 pandemic. However, using digital assets and web applications remotely can increase vulnerability. Employees will need to access these assets using personal devices, which may lack the necessary security protocols. This leads to a loss of visibility and control of these systems and assets for many companies. Managers need to train their employees on the latest security protocols, so they can access the system remotely without putting sensitive data at risk.
Data and Methodology
To create the reporting, NopSec examined anonymized data collected from clients using the company’s Unified VRM® (Vulnerability Risk Management) platform. The data was aggregated anonymously and sheds light on the typical vulnerabilities management practices and key performance indicators of a well-formed vulnerability risk management program.
The CrowdStrike Global Threat Report recommends that organizations regularly review and improve their standard security controls. Every security risk management program should include the following:
- Asset prioritization and management
- Vulnerability and patch management
- Threat-based prioritization
- User awareness programs
- Strong Multifactor Authentication (MFA), robust privilege access management, and password protection
Risk Management Assessment Findings:
When looking at the data, we found that many customers and security teams struggle when deciding if a non-critical business application should be labeled as “High,” “Medium,” or “Low,” which makes it difficult for the company to prioritize its remediation efforts.
However, this can be remediated through increased transparency. Customers that use NopSec’s automatic asset value algorithm have reduced business critical risk four times greater than customers relying on manual processes. NopSec’s automatic asset value system enables organizations’ IT teams to focus on remediation for the business or mission-critical assets, delivering direct security value.
Companies need to understand the true risk level of vulnerabilities when making decisions. Data overload and miscategorization can lead to poor decision making and improper remediation.
NopSec’s risk prioritization reclassified the assets to reduce the number of prioritized vulnerabilities by 60%. The report shows 1.2 million vulnerabilities reprioritized as critical and an overall 22.6% vulnerabilities deprioritized as low risk.
When looking at the number of vulnerabilities by risk level, we found that most urgent and critical vulnerabilities do not follow predictable patterns. While most VRM programs are designed to create sustainable processes. Unified VRM enables customers to be prepared for these critical surprise vulnerabilities through proactive prioritization and automated remediation.
Most importantly, the prioritization’s net effect is to increase the total number of medium and low vulnerabilities, slightly increasing the critical and high-risk categories, and introducing the urgent category of risk for an extremely targeted remediation effort.
When looking at remediation and patch management, we found that organizations seem to choose a steady remediation speed across all vulnerability risk categories. This indicates that, besides urgent vulnerabilities, in average vulnerabilities of any risk categories are remediated uniformly as part of a well-formed vulnerability risk management program. When looking at the timeline of remediation, no Urgent vulnerabilities are shown as overdue, which reveals that the urgency of the risk has a deep effect on the timing of the remediation.
The report also includes a CVE list for 2020, including the most common vulnerabilities and exposures (CVEs) among all NopSec clients.
Most of these high-risk CVEs are remote code execution in the Windows environment or privilege escalation vulnerabilities to gain a more privileged user’s access rights—except for low-risk vulnerabilities that are still trending in customer environments. They enable the attacker to land and then expand into the organization’s network. These one-hit wonders are the most popular due to the ease of execution: they require exploiting a single vulnerability.
The report also examines whether relying on the CVSS is enough when prioritizing vulnerabilities. Companies should include other factors and variables when assessing overall risk.
Download the full report to learn more about the latest risk mitigation recommendations, vulnerability management best practices and key performance indicators of a well-formed vulnerability risk management program.