With the growing concerns around cyber-security, organizations should adopt a multi-layered security approach to their vulnerability management system.
In this digital era, the National Institute of Standards and Technology (US Department of Commerce) has logged more than 18,000 security vulnerabilities last year. Among them, over 10,000 of the flaws were critical or of high severity – which is an all-time high.
In its essence, the security researchers from Redscan look beyond their severity scores, detailing the rise of low complexity vulnerabilities and those which involve no user interaction for exploitation.
Also Read Interview: Active Directory Protection: The Rising Need for Enterprises to Strengthen their…
Such trends are certainly a concern to the security teams globally, highlighting the need for enterprises to focus on patch management efforts. Besides, companies should adopt a multi-layered cyber-security approach to their vulnerability management.
However, the Redscan study also indicated some of the positive trends – including a decrease in CVEs that need no privileges to exploit. While analyzing the potential risk that vulnerabilities pose, companies must consider more than their severity score.
In the real world, many CVEs are never or rarely exploited since they are incredibly complex or require attackers to have full access to high-level privileges. According to the statistics, the CVEs in 2020 are –
- More cyber-security vulnerabilities (18,103) were disclosed in 2020 compared to any other year as of now – this is at an average rate of 50 CVEs each day
- Nearly 57% of the vulnerabilities (10,342) in 2020 were tracked as ‘critical’ or ‘high’ severity
- The low complexity CVEs are on the rise in this era, representing almost 63% of the vulnerabilities disclosed last year
- The vulnerabilities that require no user interaction for exploiting are notably increasing, representing around 68% of all the CVEs recorded in 2020
- Security vulnerabilities that require no user privileges to exploit are now declining (from 71% in 2016 – to 58% in 2020)
The pandemic time, especially in 2020, saw a massive spike in physical and adjacent security vulnerabilities. This is most likely due to the proliferation of smart devices and IoT in use, and being tested by the researchers
As George Glass, Head of Threat Intelligence at Redscan, explains – “Analysis of the NIST NVD presents a mixed outlook for security teams. Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit.”
Also Read Interview: Strengthening Cybersecurity Using Advance Biometrics Solutions
Underestimating the flaws that appear to be of low risk can leave organizations open to ‘chaining’. In such cases, the threat attackers are capable of moving from one vulnerability to another – in order to gain access at increasingly critical stages bit by bit.
Currently, identifying what vulnerabilities to prioritize is a constant challenge in IT security, precisely as the number of CVEs continues to grow. To aid decision-making, the security teams need a concrete understanding of the potential impact of such vulnerabilities and how quickly they are being exploited in the marketplace.
According to the report, “Defence in depth is also important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organization’s defenses. The trick is having supplementary controls in places, such as continuous network and endpoint monitoring, to mitigate risks.”
For more such updates follow us on Google News ITsecuritywire News.