2017 State of Vulnerability Risk Management Report: Remediation Risk Management & Other Topics
The state of vulnerability management changed dramatically in 2016 with more companies facing various forms of threats than in years past. NopSec remains a leader in cyber exposure management. Our annual State of Vulnerability Risk Management Report shows how these threats have evolved over the last 12 months. Companies and security experts can use this information to reduce cyber exposure risk.
Types of Attacks Reported in 2016
2016 was a brutal year for cybersecurity. Many different types of companies and organizations were affected by these threats. We focused on some of the most notable incidents of 2016, including:
The DNC Email Dump
The 2016 U.S. Presidential Election was anything but ordinary. Just before Americans went to the polls, WikiLeaks published a cache of nearly 20,000 emails and 8,000 attachments obtained from the Democratic National Committee. Wikileaks purportedly obtained these from a hacker by the name of Guccifer 2.0.
The Dyn DDoS Attack of October 2016
Many distributed denial of service (DDoS) attacks target individual websites and services. This is when the hacker floods the server with artificial traffic in order to bring the system down, but the 2016 Dyn DDoS was perhaps the most extreme.
An attacker (or attackers) targeted Dyn — one of the most widely used DNS platforms on the Internet — with a gargantuan amount of traffic, with the aim of rendering it inaccessible to legitimate users. This resulted in several popular Internet services slowing to a crawl or being altogether unavailable to users.
The Global WannaCry Ransomware Attack
In just one day, WannaCry spread to over 300,000 computers, many of these in critical enterprise and government environments. Intelligence forces believe the ransomware was created by the North Korean government and propagated by the “Lazarus Group,” which is the prime suspect in the Sony Pictures hack of 2014. In total, it was said to have spread to 99 countries. As of July 2017, the three Bitcoin wallets associated with WannaCry have earned a total of just 51.65 Bitcoins. At current market rates, this translates to just $219,565.
The Vulnerability Landscape in 2017
Thanks to our position in the cybersecurity industry, NopSec retains a “bird’s-eye” view of the overall “vulnerability landscape.” In this year’s report, we explore which industries are being targeted the most and the proliferation of vulnerabilities on a vendor-by-vendor basis to determine the most common avenues of ingress for an attacker.
Security Vulnerabilities by Industry
Our clients span a wide range of industries, but for the purposes of this report, we have classified them into one of four broad industry categories: Financial, Healthcare, Technology, and Other. We found that each industry faces its own, specific security challenges.
In many cases, these challenges arise from the fact that each technology stack common across all organizations in a given industry has its own exposure profile. The tools that an organization is using to manage vulnerabilities and track remediation efforts, therefore, need to be flexible enough and configurable enough to address that exposure profile.
Security Vulnerabilities by Vendor
Next, we looked at the number of security vulnerabilities per vendor. In order to get the best picture of what a “typical” client faces, we measured the median number of vulnerabilities each client has. Microsoft and Adobe vulnerabilities always tend to be at the top of the chart due to their prevalence in many different industries. However, Oracle products and Java vulnerabilities are important to consider.
NopSec also found that social media, particularly Twitter, has become the go-to resource for security researchers and attackers looking to disseminate proof-of-concept exploits. The most tweeted about common cve vulnerabilities and exposures focused on well-publicized, dangerous vulnerabilities.
Due to the correlation between social media activity and the degree of risk that a vulnerability poses to an organization, NopSec collects and incorporates Twitter data as one component of its security vulnerability assessment.
Download the full 2017 State of Vulnerability Risk Management Report to learn more about the state of risk assessment and vulnerability in 2016.