David Braue (CSO Online) on 21 November, 2018 14:13
Credit: ID 128774258 © Microvone | Dreamstime.com High-severity vulnerabilities are being identified in software faster than enterprise security teams can respond to them, according to a recent survey of application vulnerabilities that warned cybercriminals are targeting out-of-date software that is unlikely to be prioritised in software-patching exercises.
A review of the Common Vulnerabilities and Exposures (CVE) database, conducted as part of the recent Tenable Vulnerability Intelligence Report (VIR), found that 15,038 new vulnerabilities had been reported for the entirety of 2017, with the first half of this year showing a 27 percent increase over the year-ago period.
That rate of growth meant that there would likely be more than 18,000 new vulnerabilities discovered this year – and with some 61 percent of discovered vulnerabilities rated as having a High severity, enterprise application managers must prioritise the patching of an average 870 CVEs per day across 960 assets.
“Managing vulnerabilities is a challenge of scale, velocity and volume,” the report’s authors note. “It is not just an engineering challenge, but requires a risk-centric view to prioritise thousands of vulnerabilities that superficially all seem the same.”
Even if enterprises only address Critical-rated vulnerabilities – those given a severity score of 9.0 to 10.0 – they will still have had to deal with more than 900 such vulnerabilities by year’s end, the firm’s analysis warned as it launched a Top 20 Vulnerabilities Chart highlighting the vulnerabilities most frequently seen in real-world network scans.
Some of them were application-specific, while others grew out of continued use of antiquated protocols: for example, 27 percent of enterprises were still running services using old and insecure SSLv2 and SSLv3 versions.
Red Hat Enterprise Linux had the most high-risk vulnerabilities, with Orace Linux and Novell SUSE Linux approximately even and CentOS Linux nearly on par with Microsoft operating systems.
Mozilla’s Firefox browser had the highest percentage of high-severity CVEs, with Adobe and Google’s exposure also dominated by high-severity issues.
Rampant and persisting vulnerabilities don’t only pose a threat to the companies themselves: with cybercriminals targeting increasingly destructive attacks at sectors such as the manufacturing and media organisations, unfixed vulnerabilities can leave companies not only compromised internally – but leveraged to launch leapfrog attacks into affiliated companies.
https://www.cso.com.au/article/649894/new-vulnerabilities-coming-faster-than-can-fix-them/
