2018 State of Vulnerability Risk Management Report
The NopSec 2018 Vulnerability Report for 2018 aims to shed light on the emerging trends in the cybersecurity industry to help our customers and security professionals protect their assets from a potential attack. The industry continues to evolve as hackers look for ways to exploit new vulnerabilities that often go unnoticed. Learn more about the latest vulnerabilities and exploits from 2017 to see where the industry is headed.
Threat Prioritization and Classification
When looking at the number and different types of vulnerabilities reported in 2017, we found that many organizations make the mistake of prioritizing potential threats using the CVSS alone. However, we found that a surprisingly high portion of vulnerabilities incorporated into malware or exploit kits are ranked low or medium severity. Counter to commonly accepted practices, focusing only on high-severity vulnerabilities and setting a “cut-off” point for lower scored issues is not a safe or effective strategy when it comes to vulnerability management.
If an organization ignores threats that are ranked with low or medium severity, they could leave themselves vulnerable to potential attacks even though the IT professionals believe these assets are protected. The CVSS can help organizations prioritize potential vulnerabilities, but this index should not be used in isolation.
Simply looking at the score may also be a mistake. The vulnerability index contains additional information that may be of value when prioritizing potential threats.
Key Findings
- We found that approximately 21% of CVEs published have associated exploit code in the Exploit Database alone. Roughly 95% of vulnerabilities ranked as high have never been linked to malware seen in the wild.
- 44% of CVEs associated with malware were scored as medium or low on the CVSS scale, suggesting that focusing solely on CVEs with high scores (7+) would be a mistake.
- Furthermore, the language used in CVE descriptions lends clues to the fate of vulnerabilities. For example, approximately half of all descriptions of vulnerabilities linked to malware include words and phrases like “allows remote.”
- Vendors most likely to be associated with malware vary significantly, depending on whether all CVE data is taken into consideration or just the last 18 months’ worth. For example, OpenSSL is most commonly associated with malware when considering all CVEs, whereas Canonical (Ubuntu) takes the top spot when considering only recently published CVEs.
- Only half of the Top 20 vulnerabilities derived from NopSec client data can be fixed with a patch. The remaining vulnerabilities represent configuration issues to be fixed or insecure cryptographic algorithms or protocols to be disabled.
- Microsoft is the biggest source of vulnerabilities for financial services organizations. Healthcare, however, has more to worry about from BSD and Linux. All industries have a significant number of Oracle vulnerabilities.
- Cryptojacking, which is when hackers use devices connected to the internet to secretly mine cryptocurrency without the owner being aware. These kinds of attacks are moving away from torrents and adult entertainment websites and toward the mainstream. Hackers are now cryptojacking smart objects like the Internet of Things, many of which have poor or limited security.
- There has also been a noticeable uptick in the number of military-grade or mass-market exploit links. These kinds of attacks make it easy for aspiring hackers to propagate attacks.
Companies across all industries should keep this information in mind when evaluating their security operations and introducing a new vulnerability management system. The full 2018 Security Risk Management Report examines the attributes of security vulnerabilities viewed through a variety of lenses. Download it today to learn more about these latest trends in the cybersecurity landscape.