Pace Of Vulnerability Disclosure Shows No Signs Of Slowing In 2018

Risk Based Security today announced the release of our Vulnerability QuickView Report, examining vulnerabilities reported in the first quarter of 2018. The report shows a continuing rise in the number of publicly disclosed vulnerabilities. Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year.

Key findings for Q1 2018:

  • 5,375 unique vulnerabilities were reported. This is just a 1.8% increase over the same period in 2017. Note that this number will continue to rise throughout 2018.
  • 1,790 (33.3%) of the vulnerabilities tracked do not have a CVE ID assigned and, therefore, are not available in NVD and similar databases solely relying on CVE. 19.7% of these vulnerabilities have a CVSSv2 score between 9.0 and 10.
  • 32.7% of the vulnerabilities have public exploits or sufficient details available to trivially exploit.
  • 49.1% of the vulnerabilities are remotely exploitable.
  • 74.3% of the vulnerabilities have a documented solution i.e. proper workaround, patch, or fixed version

As more and more vulnerabilities are reported, organizations are forced to spend an increasing amount of time and resources to stay properly informed about the weaknesses affecting their IT infrastructure and applications. There is a further cost of ownership, as vulnerabilities disclosed also require proper prioritization, triage, and remediation.

“Every year see an incredible number of publicly disclosed vulnerabilities missed by the CVE project, and every year we see thousands of data breaches, some caused by not patching known vulnerabilities.“ said Brian Martin, Vice President of Vulnerability Intelligence for Risk Based Security. “Organizations that continue to rely on inferior vulnerability intelligence are putting themselves at increased risk of downtime or compromise, which often leads to their customers receiving the brunt of the fallout.”

The good news when looking at the issues disclosed in Q1 2018 is that,  about three fourths of the reported vulnerabilities did have a documented solution available. However, that still leaves over 1.300  of the disclosed vulnerabilities with no viable solution. That means organizations relying solely on patch management software for vulnerability remediation are failing to address weaknesses in their infrastructure and applications. After all, if there is no patch, there is nothing for a patch manager to do. That is one reason why incorporating vulnerability intelligence into an asset management system is critical. It allows administrators to identify and implement in-house workaround solutions or compensating controls, until a patch or update becomes available.

Administrators are beginning to realize that better awareness of disclosed vulnerabilities is critical to their operations. Along with this, comes the realization that their organization cannot rely on patch management solutions alone. In fact, a multifaceted approach that integrates vulnerability intelligence into both asset and patch management solutions, makes life a lot easier for system administrators while ensuring full coverage of potential security issues. But implementing a multi-faceted approach requires a reliable source for vulnerability intelligence. Incomplete data sources leave the organization exposed and tasking staff to research new disclosures is inefficient and time consuming.

“The lack of vulnerability coverage from freely available or US funded government projects forces companies to make a decision; run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally or seek a vulnerability intelligence feed from a reliable service.” said Carsten Eiram, Chief Research Officer at Risk Based Security. Given the pace of vulnerability disclosure in Q1, a comprehensive intelligence feed is the optimal solution for organizations seeking to maximize the effectiveness of their vulnerability remediation processes.

About the VulnDB QuickView Report

The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed so far in 2018. Contact Risk Based Security for any specific analysis of the vulnerabilities.

You can get your copy of 2018 Q1VulnDB QuickView report here:

Request a copy of the 2018 Q1 Report

Media are welcome to contact [email protected] with questions.

Organizations curious to learn more about our Vulnerability Intelligence (VulnDB) solution or other offerings are welcome to contact us at [email protected]

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.

YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.  YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks.  YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.

For more information, please visit:

https://www.riskbasedsecurity.com/

https://vulndb.cyberriskanalytics.com/

https://www.cyberriskanalytics.com/

https://www.yourciso.com/

or call 855-RBS-RISK