Member’s Login

Forgot Password  |  Create an account

29% Increase In Vulnerabilities Already Disclosed In 2017

Posted By - DynamicCISO,

Risk Based Security last week announced the release of its VulnDB QuickView for the first quarter of 2017. The report shows an unrelenting rise in the number of vulnerabilities being reported. Unless the pace of vulnerability disclosure slows down in the coming quarters, it appears to be yet another record-breaking year.

Key findings for Q1 2017:

  • 4,837 unique vulnerabilities were reported. This is a 29.2% increase over the same period in 2016.
  • 2,274 (47.0%) of the vulnerabilities tracked do not have CVEs assigned and, therefore, are not available in NVD and similar databases solely relying on CVE. 15.7% of these vulnerabilities have a CVSSv2 score between 9.0 and 10.
  • 35.1% of the vulnerabilities have public exploits or sufficient details available to trivially exploit.
  • 50.4% of the vulnerabilities are remotely exploitable.
  • 72.4% of the vulnerabilities have a documented solution i.e. proper workaround, patch, or fixed version

As more and more vulnerabilities are being reported, organizations are forced to spend an increasing amount of resources to stay properly informed about vulnerabilities affecting their IT infrastructure and applications. There is a further cost of ownership, as vulnerabilities disclosed also require proper prioritization, triage, and remediation.

“It is clear that relying solely on CVE/NVD or similar sources is not a viable solution as about half of the vulnerabilities will be missed,“ said Carsten Eiram, Chief Research Officer for Risk Based Security. “Doing so constitutes a significant threat when considering that half of the reported vulnerabilities are remotely exploitable and about a third have exploits available.”

The good news when looking at the issues disclosed in Q1 2017 is that, fortunately, about three-fourths of the reported vulnerabilities did have a documented solution available. However, that still leaves one-quarter of the reported vulnerabilities with no solution. That means organizations relying solely on patch management for vulnerability remediation are failing to address weaknesses in their infrastructure and applications. After all, if there is no patch, there is nothing for a patch manager to do. That is one reason why incorporating vulnerability intelligence into an asset management system is so important. It allows administrators to identify and implement workaround solutions until a patch or update becomes available.

Administrators are beginning to realize that better awareness of disclosed vulnerabilities is critical to their operations. Along with this, comes the realization that their organization cannot rely on patch management solutions alone. In fact, a multifaceted approach that integrates vulnerability intelligence into both asset and patch management solutions makes life a lot easier for system administrators while ensuring full coverage of potential security issues. But implementing a multi-faceted approach requires a reliable source of vulnerability intelligence. Incomplete data sources leave the organization exposed and tasking staff to research new disclosures is inefficient and time-consuming.

“The lack of vulnerability coverage from freely available or US-funded government projects forces companies to make a decision; run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally or seek a vulnerability intelligence feed from a reliable service,” added Eiram. Given the pace of vulnerability disclosure in Q1, a comprehensive intelligence feed is an optimal solution for organizations seeking to maximize the effectiveness of their vulnerability remediation processes.

0 Comments
Share:
Related Tags - Vulnerability, Risk Based Security

Subscribe to our newsletter for all the latest updates and special offers.

Click Here To view archive additions

Older Entries

Monday, April 14th, 2014 02:55:00 PM Heartbleed - Bruce Schneier, CTO
Sunday, April 27th, 2014 09:10:00 AM Heartbleed FAQs - Richard Henderson, Security Strategist FortiGuard Labs
View All