A New Generation Of Critical Vulnerabilities

Cyber security professionals should be concerned about the fact that more than two thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit. Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar.   
 
According to a  new report from Redscan a record number of critical and high severity vulnerabilities were logged to the US National Institute of Standards (NIST) Vulnerability Database NIST NVD in 2020.  Redscan's analysis shows  a notable rise in lo the large volume of vulnerabilities which now require user privileges and this one of the reasons why phishing remains a primary tactic of cyber criminals.
 
Users with a high degree of privileges, such as system administrators, are a prize target because they are able to open more doors for attackers. 
 
NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity which is an all-time high. Redscan’s analysis looks beyond severity scores, detailing the rise of low complexity vulnerabilities as well as those which require no user interaction to exploit. These trends may be of concern to security teams, highlighting the need for organisations to focus patch management efforts and adopt a multi-layered approach to vulnerability management. 
 
There are also positive trends, such as a decrease in Common Vulnerabilities and Exposures (CVE)s which require no privileges to exploit.  Key findings include:  
 
  •  More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 CVEs per day.
  • 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high’ severity (10,342).
  • Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020. 
  • Vulnerabilities which require no user interaction to exploit are also increasing, representing 68% of all CVEs recorded in 2020.
  • Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020.
  • 2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers. 
Analysis of the NIST NVD presents a mixed outlook for security teams, according to George Glass, Head of Threat Intelligence at Redscan. "Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit... When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score."
 
Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges.  Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages. 
 
Identifying which vulnerabilities to prioritise is a perennial challenge in IT security, especially as the number of CVEs only continues to grow. To aid decision-making, security teams need a practical understanding of the potential impact vulnerabilities pose and how readily they are being exploited in the wild. 
 
Defence in depth is also important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organisation’s defences. Best practice lies in having supplementary controls in place, such as continuous network and endpoint monitoring, to mitigate risks.
 
NIST Vulnerability Analysis 2020:
 
You Might Also Read: 
 
Connected Devices Must Be More Secure:
« Facebook Unfriends Australia
New Cyber Training For Security Professionals »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

TestingXperts

TestingXperts

TestingXperts is a specialist software QA and testing company.

Nohau

Nohau

Nohau provide services for safe and secure embedded software development.

Inseego

Inseego

Inseego provides Enterprise SaaS solutions and IoT & Mobile solutions, which together form the backbone of intelligent, reliable and secure IoT services with deep business intelligence.

Standards Council of Canada (SCC)

Standards Council of Canada (SCC)

SCC leads and facilitates the development and use of national and international standards and accreditation services in Canada.

Glilot Capital Partners

Glilot Capital Partners

Glilot Capital Partners is an Israeli seed and early-stage VC. We specialize in businesses which disrupt enterprise technology, mainly in the fields of AI, big data and cybersecurity.

NeuVector

NeuVector

NeuVector, the leader in Full Lifecycle Container Security, delivers uncompromising end-to-end security from DevOps vulnerability protection to complete protection in production.

Penten

Penten

Penten is an Australian-based cyber security company focused on innovation in secure mobility and applied AI (artificial intelligence).

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

3i Infotech

3i Infotech

3i Infotech offers consulting & professional services to assess, design and build next gen IT infrastructure, and managed services to operate, optimize and continuously improve.

European Center for CyberSecurity in Aviation (ECCSA)

European Center for CyberSecurity in Aviation (ECCSA)

ECCSA is a cooperative partnership within the aviation community to better understand emerging cybersecurity risks in aviation and provide collective support in dealing with cybersecurity incidents.

Lucata

Lucata

Lucata solutions support groundbreaking graph analytics and improved machine learning for organizations in financial services, cybersecurity, healthcare, pharmaceuticals, telecommunications and more.

Lupovis

Lupovis

Lupovis is an AI-based deception solution that deploys active decoys turning your network from a flock of sheep to a pack of wolves where the hunter becomes the hunted.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.

Cybastion

Cybastion

Cybastion develops robust world-class cybersecurity solutions tailored to suit the needs of different businesses, governments and public sector entities.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.