29% Increase In Vulnerabilities Already Disclosed In 2017

2017 starts off with an unrelenting rise in vulnerabilities, according to Risk Based Security

RICHMOND, VA, May 23, 2017 — Risk Based Security today announced the release of our VulnDB QuickView for the first quarter of 2017. The report shows an unrelenting rise in the number of vulnerabilities being reported. Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year.

Key findings for Q1 2017:

  • 4,837 unique vulnerabilities were reported. This is a 29.2% increase over the same period in 2016.
  • 2,274 (47.0%) of the vulnerabilities tracked do not have CVEs assigned and, therefore, are not available in NVD and similar databases solely relying on CVE. 15.7% of these vulnerabilities have a CVSSv2 score between 9.0 and 10.
  • 35.1% of the vulnerabilities have public exploits or sufficient details available to trivially exploit.
  • 50.4% of the vulnerabilities are remotely exploitable.
  • 72.4% of the vulnerabilities have a documented solution i.e. proper workaround, patch, or fixed version

As more and more vulnerabilities are being reported, organizations are forced to spend an increasing amount of resources to stay properly informed about vulnerabilities affecting their IT infrastructure and applications. There is a further cost of ownership, as vulnerabilities disclosed also require proper prioritization, triage and remediation.

“It is clear that relying solely on CVE/NVD or similar sources is not a viable solution as about half of the vulnerabilities will be missed.“ said Carsten Eiram, Chief Research Officer for Risk Based Security. “Doing so constitutes a significant threat when considering that half of the reported vulnerabilities are remotely exploitable and about a third have exploits available.”

The good news when looking at the issues disclosed in Q1 2017 is that, fortunately, about three fourths of the reported vulnerabilities did have a documented solution available. However, that still leaves one quarter of the reported vulnerabilities with no solution. That means organizations relying solely on patch management for vulnerability remediation are failing to address weaknesses in their infrastructure and applications. After all, if there is no patch, there is nothing for a patch manager to do. That is one reason why incorporating vulnerability intelligence into an asset management system is so important. It allows administrators to identify and implement workaround solutions until a patch or update becomes available.

Administrators are beginning to realize that better awareness of disclosed vulnerabilities is critical to their operations. Along with this, comes the realization that their organization cannot rely on patch management solutions alone. In fact, a multifaceted approach that integrates vulnerability intelligence into both asset and patch management solutions, makes life a lot easier for system administrators while ensuring full coverage of potential security issues. But implementing a multi-faceted approach requires a reliable source for vulnerability intelligence. Incomplete data sources leave the organization exposed and tasking staff to research new disclosures is inefficient and time consuming.

“The lack of vulnerability coverage from freely available or US funded government projects forces companies to make a decision; run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally or seek a vulnerability intelligence feed from a reliable service.” added Eiram. Given the pace of vulnerability disclosure in Q1, a comprehensive intelligence feed is the optimal solution for organizations seeking to maximize the effectiveness of their vulnerability remediation processes.

About the VulnDB QuickView Report

The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2016. Contact Risk Based Security for any specific analysis of the 2016 vulnerabilities.

You can get your copy of 2016 VulnDB QuickView report here:

https://pages.riskbasedsecurity.com/q1-2017-vulnerability-quickview-report

Media are welcome to contact [email protected] with questions.

Organizations curious to learn more about our Vulnerability Intelligence (VulnDB) solution or other offerings are welcome to contact us at [email protected].

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner.  In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.

YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.  YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks.  YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.

For more information, please visit:

https://www.riskbasedsecurity.com/

https://vulndb.cyberriskanalytics.com/

https://www.cyberriskanalytics.com/

https://www.yourciso.com/

or call 855-RBS- RISK