[BreachExchange] 15,000 Vulnerabilities Disclosed In 2016 – Major Vendors Continue To Be Affected

Audrey McNeil audrey at riskbasedsecurity.com
Mon Feb 6 19:11:43 EST 2017


https://www.riskbasedsecurity.com/2017/02/15000-
vulnerabilities-disclosed-in-2016-major-vendors-continue-to-be-affected/

Risk Based Security today announced the release of the annual VulnDB
QuickView report that shows 2016 broke the previous all-time record for the
highest number of reported vulnerabilities. The 15,000 vulnerabilities
cataloged during 2016 by Risk Based Security eclipsed the total covered by
the CVE and National Vulnerability Database (NVD) by more than 6,500.

“Another record-breaking year in the number of vulnerabilities disclosed
underlines the importance of relying on a proper Vulnerability Intelligence
solution. For most companies, tracking vulnerabilities affecting their
infrastructure has become a daunting task that is either too big to handle
on their own or simply not financially viable compared to out-sourcing the
tracking”, said Carsten Eiram, Chief Research Officer for Risk Based
Security.

“While never designed for such use, we see too many companies still relying
on CVE for vulnerability tracking. Many argue that it is at least better
than nothing, but it presents too great a risk for organizations, as it
lulls them into a false sense of security by mistakenly having them think
they’ve got the most important vulnerabilities covered. Organizations need
to understand that this is not remotely close to a feasible solution”,
added Eiram.

In fact, almost half (6,659) of the published vulnerabilities in 2016 are
not found in CVE/NVD. These include vulnerabilities in prevalent products.
Over 1,391 of them received CVSS scores between 9.0 and 10.0. While the
number of vulnerabilities has gone up, CVE covered 8.2% less in 2016
compared to their high-mark of 9,088 in 2014. Furthermore, 1,945 of the
vulnerabilities in 2016 published with CVE identifiers are still missing
details in the CVE database and thus missing from NVD.

The newly released 2016 Year End VulnDB QuickView report from Risk Based
Security shows that 20.5% of reported vulnerabilities received CVSS scores
between 9.0 and 10.0. This means that not only has the number of
vulnerabilities been increasing, but the CVSS scores are also trending
higher over the last five years. 48.9% of 2016 vulnerabilities can be
exploited remotely and 32.8% of 2016 vulnerabilities had an exploit that
was public.

The VulnDB QuickView report also revealed that while relationships between
researchers and vendors can at times appear strained, they are continuing
to attempt to work together. Vulnerabilities disclosed in a coordinated
fashion with vendors rose to 44.9% in 2016.

“From operating systems and software installed on client and server systems
to IoT and SCADA devices, vulnerabilities continue to be a major concern.
Using metrics to help determine which vendors and products are putting your
organization at risk needs to be a key part of your vendor risk management
and procurement process.”, says Eiram. “The ability to properly use
vulnerability data to help with the decision making process is important
and we have ensured this is built into our VulnDB solution.”

About the VulnDB QuickView Report

The VulnDB QuickView report is possible through the research conducted by
Risk Based Security. It is designed to provide an executive level summary
of the key findings from RBS’ analysis of vulnerabilities disclosed in
2016. Contact Risk Based Security for any specific analysis of the 2016
vulnerabilities.

You can get your copy of 2016 VulnDB QuickView report here:

https://pages.riskbasedsecurity.com/2016-ye-vuln-quickview

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on
Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our
products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations
access to the most comprehensive threat intelligence knowledge bases
available, including advanced search capabilities, access to raw data via
API, and email alerting to assist organizations in taking the right actions
in a timely manner.  In addition, our YourCISO offering provides
organizations with on-demand access to high quality security and
information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence
available and provides actionable information about the latest in security
vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy
integration into GRC tools and ticketing systems. VulnDB allows
organizations to search on and be alerted to the latest vulnerabilities,
both in end-user software and the third-party libraries or dependencies
that help build applications. A subscription to VulnDB provides
organizations with simple to understand ratings and metrics on their
vendors and products, and how each contributes to the organization’s
risk-profile and cost of ownership.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about
organizations that have had a data breach or leaked credentials. This
enables organizations to reduce exposure to the threats most likely to
impact them and their vendor base. In addition, our PreBreach vendor risk
rating, the result of a deep-view into the metrics driving cyber exposures,
are used to better understand the digital hygiene of an organization and
the likelihood of a future data breach. The integration of PreBreach
ratings into security processes, vendor management programs, cyber
insurance processes and risk management tools allows organizations to avoid
costly risk assessments, while enabling businesses to understand its risk
posture, act quickly and appropriately to proactively protect its most
critical information assets.

YourCISO provides organizations with on-demand access to high quality
security and information risk management resources in one, easy to use web
portal.  YourCISO provides organization ready access to a senior executives
and highly skilled technical security experts with a proven track record,
matched specifically to your needs. The YourCISO service is designed to be
an affordable long term solution for addressing information security
risks.  YourCISO brings together all the elements an organization needs to
develop, document and manage a comprehensive information security program.

For more information, please visit:

https://www.riskbasedsecurity.com/

https://vulndb.cyberriskanalytics.com/

https://www.cyberriskanalytics.com/

https://www.yourciso.com/

or call 855-RBS- RISK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170206/79f4d7cf/attachment.html>


More information about the BreachExchange mailing list