7,900 Vulnerabilities In 2017 You Aren’t Aware Of May Put Your Organization At Risk
February 15, 2018 • RBS
2017 sets all time high for the number of disclosed vulnerabilities, according to Risk Based Security.
RICHMOND, VA, January 26, 2018 — Risk Based Security today announced the release of the year end VulnDB QuickView report that shows 2017 broke the previous all-time record for the highest number of reported vulnerabilities. The 20,832 vulnerabilities cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900.
“Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures. The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. If your vulnerability intelligence solution didn’t offer information on the more than 20,000 vulnerabilities disclosed in 2017, your organization is at an increased risk”, said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.
“Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization falling short year after year. While some argue that the CVE/NVD solution is ‘good enough’, that simply isn’t the case. Just look at the number of web and computer hacking data breaches reported on a regular basis. In addition to a false sense of security, the ‘good enough’ mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case either”, added Martin
In fact, the 7,900 vulnerabilities published by VulnDB in 2017 that are not found in CVE/NVD, impact prevalent products that are used in all sizes of organizations. While the number of CVE assignments continue to rise, the actual coverage still lags behind. Of the more than 18,000 CVE IDs that were assigned or allotted to CVE Numbering Authorities (CNAs), almost seven thousand were in RESERVED status despite 1,342 of them having a public disclosure. This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data.
The newly released 2017 Year End VulnDB QuickView report from Risk Based Security shows that 39.3% of reported vulnerabilities received CVSS scores above 7.0. This means that not only has the number of vulnerabilities been increasing, but the CVSS scores are also trending higher over the last five years. In 2017, web-related issues accounted for over half of all vulnerabilities disclosed, 31.5% had public exploits, and 24.1% had no solution at the time of the report.
The VulnDB QuickView report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors was relatively consistent at 44.8%, compared to 45.6% in 2016.
“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern. Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process.”, says Carsten Eiram, Chief Research Officer. “The ability to properly use vulnerability data to help with the decision making process is important and we have ensured this is built into our VulnDB solution.”
About the Vulnerability QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security’s VulnDB team. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2017. Contact Risk Based Security for any specific analysis of the 2017 vulnerabilities.
You can get your copy of 2017 Vulnerability QuickView report here:
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.