[BreachExchange] 7,900 Vulnerabilities In 2017 You Aren’t Aware Of May Put Your Organization At Risk

[Inga Goddijn]

https://www.riskbasedsecurity.com/2018/02/7900-vulnerabilities-in-2017-you-arent-aware-of-may-put-your-organization-at-risk/

Risk Based Security today announced the release of the year end VulnDB
QuickView report that shows 2017 broke the previous all-time record for the
highest number of reported vulnerabilities. The 20,832 vulnerabilities
cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total
covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National
Vulnerability Database (NVD) by more than 7,900.

“Organizations that track and triage vulnerability patching saw no relief
in 2017, as it was yet another record-breaking year for vulnerability
disclosures. The increasingly difficult task of protecting digital assets
has never been so critical to businesses as we continue to see a rise in
compromised organizations and data breaches. If your vulnerability
intelligence solution didn’t offer information on the more than 20,000
vulnerabilities disclosed in 2017, your organization is at an increased
risk”, said Brian Martin, VP of Vulnerability Intelligence for Risk Based
Security.

“Incredibly, we see too many companies still relying on CVE and NVD for
vulnerability tracking, despite the US government funded organization
falling short year after year. While some argue that the CVE/NVD solution
is ‘good enough’, that simply isn’t the case. Just look at the number of
web and computer hacking data breaches reported on a regular basis. In
addition to a false sense of security, the ‘good enough’ mindset often
leads some to believe that the important vulnerabilities are covered, and
that isn’t the case either”, added Martin

In fact, the 7,900 vulnerabilities published by VulnDB in 2017 that are not
found in CVE/NVD, impact prevalent products that are used in all sizes of
organizations. While the number of CVE assignments continue to rise, the
actual coverage still lags behind. Of the more than 18,000 CVE IDs that
were assigned or allotted to CVE Numbering Authorities (CNAs), almost seven
thousand were in RESERVED status despite 1,342 of them having a public
disclosure. This seems to indicate that MITRE is more focused on assigning
and increasing the number of IDs, and not ensuring the quality of data.

The newly released 2017 Year End VulnDB QuickView report from Risk Based
Security shows that 39.3% of reported vulnerabilities received CVSS scores
above 7.0. This means that not only has the number of vulnerabilities been
increasing, but the CVSS scores are also trending higher over the last five
years. In 2017, web-related issues accounted for over half of all
vulnerabilities disclosed, 31.5% had public exploits, and 24.1% had no
solution at the time of the report.

The VulnDB QuickView report also revealed that while relationships between
researchers and vendors can at times appear strained, they are continuing
to attempt to work together. Vulnerabilities disclosed in a coordinated
fashion with vendors was relatively consistent at 44.8%, compared to 45.6%
in 2016.

“From operating systems and software installed on client and server systems
to IoT and SCADA devices, vulnerabilities continue to be a major concern.
Using metrics to help determine which vendors and products are putting your
organization at risk needs to be a key part of your vendor risk management
and procurement process.”, says Carsten Eiram, Chief Research Officer. “The
ability to properly use vulnerability data to help with the decision making
process is important and we have ensured this is built into our VulnDB
solution.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/92b7677a/attachment.html>