In the words of Kevin Mitnick, “Security is always going to be a cat and mouse game because there’ll be people out there that are hunting for the zero-day award, you have people that don’t have configuration management, don’t have vulnerability management, don’t have patch management.” Many of us don’t like Kevin. Most of us won’t even admit that he was [somewhat] correct in what he said. Well, Kevin is now a good guy. He has left his notorious past behind. He now runs a security firm known as Mitnick Security Consulting. He is also the Chief Hacking Officer and part owner of the security awareness training company KnowBe4.
Sorry, this post is not about Mitnick and nor is it about Cat and Mouse. I want to talk about how the growing universe of vulnerabilities is affecting the organisations and also keeping the CISOs busy in dealing with those. It’s a painful ordeal; never ending, never decreasing…
With this burgeoning behemoth (also a sort of cliché) called ‘Digital Transformation’, the difficulties of a CISO or an InfoSec leader will only increase. They’ll be kept busy in dealing with those vulnerabilities that precisely come from the ever-growing stack of business applications, the ballooning cloud environments, and widespread end-user devices. This means IT and security teams must have overall visibility and granular control over their entire network infrastructure to manage this process.
As reported by Mordor Intelligence, the Security and Vulnerability Management market was valued at USD 6.61 billion in 2020 and is expected to reach USD 11.72 billion by 2026, growing at a CAGR of 10%. As long as there’s a ‘mouse in the house’, CISOs will face the challenge of defending against a threat of breach. While the cat is supposedly sharp, the mice are no less smart. And while the CISOs are expected to always keep abreast of the new vulnerabilities and risks, and that the technology OEMs (SaaS, Cloud, Device vendors) bring out timely alerts and patches to guard against potential exploits this market will never nosedive. That’s my strong assumption.
The funnier part is this. Most vulnerabilities that have been exploited by the threat actors are ‘known’ to the CISOs and InfoSec orgs. According to Digital Defense, a vulnerability management company, in 2020, 99% of vulnerabilities exploited were the ones known to security and IT professionals for at past one year. Whom to blame – the CISO, the Security team or someone else? On top of it, there’s a tsunami of zero-day exploits. If we go by the MIT Technology Review’s analysis of data, “at least 66 zero days have been found in use (until Sept 2021).
Risk Based Security recently released its 2021 Year-end ‘Vulnerability Report’ authored by Brian Martin who is the VP of Vulnerability Intelligence at the company. Brian Martin has been studying, collecting, and cataloguing vulnerabilities since 1993, both personally and professionally. The report is detailed and talks about the vulnerability ‘disclosure’. You can read it at leisure however, the key finding were:
- There were an aggregated 28,695 vulnerabilities that were disclosed during 2021. That total is the highest number on record.
- Spikes of vulnerability disclosures are occasionally occurring outside of routine ‘Patch Tuesdays’, with one such event resulting in 287 vulnerabilities released in a single day.
- 4,108 vulnerabilities disclosed in 2021 were remotely exploitable, with both a public exploit and documented solution information. By focusing on these issues first, organizations can potentially reduce their risk and immediate workload by nearly 86%.
- Of the vulnerabilities disclosed during 2021, 29% do not have a CVE ID, while an additional 4% have a CVE ID assigned but are in RESERVED status. This means that no actionable information about the vulnerability is yet available in CVE / NVD.
- CVE / NVD’s inability to report on 33% of 2021’s vulnerabilities results in a loss of visibility for organizations seeking to replicate the best practice of focusing on remotely exploitable vulnerabilities that have a public exploit and also a documented solution.
As the report says, the most interesting aspect to the 2021’s total list is the ‘short time’ it took to exceed the past years. “In the 2021 mid-year report, the difference between 2020 and 2021 was only around 400. In the second half of the year, that gap then increased by over 3,500. This is a considerable increase, further lending to the idea that we are seeing the disclosure landscape shake off the pandemic as researchers return to their normal output,” it says.
Another interesting statistic is reported by Bugcrowd, a crowd-sourced security platform. The company last month released its 2022 ‘Priority One’ report. The report reveals that the strategic focus for many organisations across has shifted, with the emphasis now on clearing residual security debt associated with that transformation. In particular, financial services companies on Bugcrowd’s platform experienced a 185% increase in the last 12 months for Priority One (P1) submissions, which refer to the most critical vulnerabilities.
According to activity recorded on the Bugcrowd Security Knowledge Platform, it found an increase in ransomware and the reimagining of supply chains, leading to more complex attack surfaces during the pandemic. Ransomware overtook personal data breaches as the threat that dominated cybersecurity news across the world in 2021. “Security buyers invested heavily to incentivize ethical hackers to find critical threats, causing P1 and P2 bugs to make up 24% of all valid submissions for the year,” the report says.
Bugcrowd asked the survey respondents how sustainable it is to ‘stay ahead’ in this game and a majority (81%) said that “the cost of staying ahead of attackers is unsustainable.” This gives an advantage to the attackers however, it doesn’t suggest that they will always win the game.
What were the top 10 vulnerabilities identified in 2021? Well, here’s a chart that will explain to you the long story in short:
[Extracted from the report]: The types of vulnerabilities submitted, as defined by the Vulnerability Rating Taxonomy (VRT) developed by Bugcrowd, are also evolving in the new security environment. There was some change at the top in 2021, where Cross-Site Scripting overtook Broken Access Control as the most commonly identified vulnerability type, reverting to the 2019 top two and reflecting the rapid deployment of home-grown web applications throughout 2020 and 2021. In third place, Sensitive Data Exposure involving Internal Assets leapt six places from ninth last year, brought on by an increased emphasis on scanning as a means of uncovering vulnerabilities.
Another interesting disclosure (data point) came from Stack Watch. According to the Stack Watch data, there were 20175 security vulnerabilities (CVEs) published in 2021, up from 17048 (in 2020). The average severity was 7.1 out of 10, which was about the same as 2020.
Below is an infographic that shows the top ten vendors by vulnerabilities:
Vulnerability Disclosure: Will It Solve the Problem?
The data that I’ve shared above is no less than scary. But what’s the outcome of all of this?
- Should we sit quietly and be reactive?
- Shall we just wait for the attackers to strike and respond as the attacks unfold?
- Shall we totally depend on the mercy of the OEMs and Software vendors to take the next steps?
Perhaps yes, or maybe not!
So, what’s the remedy? To me, nothing works better than a good Vulnerability Disclosure Program. Vulnerability disclosure is a process by which we bring out the vulnerabilities of a software into the public domain. It is simply to report the security flaws. Yes, one needs to have a strong team (set of individuals) of security researchers, pen-testers, third party assessors, or someone similar who identify the gaps, and work with the respective vendors to plug those before they are found and exploited by the threat actors.
According to Kevin Townsend, senior contributor with Security Week, “we need to understand three terms: vulnerabilities (a flaw or bug in code); exploits (a methodology used to manipulate the vulnerability); and patching (fixing the vulnerability by the vendor and implementing the fix by the user).” I am sure CISOs and InfoSec leaders are well-versed with these terms.
In this day, when technology is business, vulnerability disclosure is a critical process to keep the business environment secure – as much as possible.
Townsend puts it in very plain, simple words. “Security researchers find the flaws, report them to the vendors, who then fix them. That’s the theory. When it works, it works well; but it doesn’t always work. There are two basic approaches to vulnerability disclosure from the researchers, which are characterized by the terms ‘full disclosure’ and ‘responsible disclosure’.”
If you think you have a handicap here, seek help/expert intervention. I came across a great example wherein James Johnson, CISO of John Deere, a farm and heavy equipment machinery maker, worked with HackerOne and launched a public Vulnerability Disclosure Program. You can read the short description here.
You can also use a plethora of other means like Bug Bounty, or similar crowd-sourced methods.
Lastly, be sure that you’re not showing any lethargy on ‘patching’ front. While the researchers, and security analysts play their part well. The vendors too, fix the bugs timely and release a patch but are the users, the enterprises, applying the patches timely? The buck stops here. Remember the infamous Equifax hack of 2017? As you’d know the flaw was disclosed and patched two months before the breach occurred but unfortunately Equifax failed to apply the patch on all its servers and the fallout was catastrophic.