A New Generation Of Critical Vulnerabilities

Uploaded on 2021-02-18 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Cyber security professionals should be concerned about the fact that more than two thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit. Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar.   
 
According to a  new report from Redscan a record number of critical and high severity vulnerabilities were logged to the US National Institute of Standards (NIST) Vulnerability Database NIST NVD in 2020.  Redscan's analysis shows  a notable rise in lo the large volume of vulnerabilities which now require user privileges and this one of the reasons why phishing remains a primary tactic of cyber criminals.
 
Users with a high degree of privileges, such as system administrators, are a prize target because they are able to open more doors for attackers. 
 
NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity which is an all-time high. Redscan’s analysis looks beyond severity scores, detailing the rise of low complexity vulnerabilities as well as those which require no user interaction to exploit. These trends may be of concern to security teams, highlighting the need for organisations to focus patch management efforts and adopt a multi-layered approach to vulnerability management. 
 
There are also positive trends, such as a decrease in Common Vulnerabilities and Exposures (CVE)s which require no privileges to exploit.  Key findings include:  
 
  •  More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 CVEs per day.
  • 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high’ severity (10,342).
  • Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020. 
  • Vulnerabilities which require no user interaction to exploit are also increasing, representing 68% of all CVEs recorded in 2020.
  • Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020.
  • 2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers. 
Analysis of the NIST NVD presents a mixed outlook for security teams, according to George Glass, Head of Threat Intelligence at Redscan. "Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit... When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score."
 
Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges.  Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages. 
 
Identifying which vulnerabilities to prioritise is a perennial challenge in IT security, especially as the number of CVEs only continues to grow. To aid decision-making, security teams need a practical understanding of the potential impact vulnerabilities pose and how readily they are being exploited in the wild. 
 
Defence in depth is also important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organisation’s defences. Best practice lies in having supplementary controls in place, such as continuous network and endpoint monitoring, to mitigate risks.
 
NIST Vulnerability Analysis 2020:
 
You Might Also Read: 
 
Connected Devices Must Be More Secure:
« Facebook Unfriends Australia
New Cyber Training For Security Professionals »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

Verafin

Verafin

Verafin is one of the North American leaders in fraud detection and AML software.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Pivot Point Security

Pivot Point Security

Pivot Point Security is a trusted leader in information security consulting. We help clients master their information security management systems.

Cyber Security Advisor

Cyber Security Advisor

Notice how sophisticated the cybersecurity market is. Think how would you pick the security provider, assess your company, and be sure of your security decisions? Cyber Security Advisor is the answer!

VeriClouds

VeriClouds

VeriClouds is a password verification service that helps organizations detect compromised passwords and stop account takeover attacks.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Matrixforce

Matrixforce

Matrixforce is a vetted IT support provider that uses the patented Delta Method of streamlining technology for financial and professional service firms to reduce complexity and avoid risk.

ZINAD IT

ZINAD IT

ZINAD is an information security company offering state-of-the-art cybersecurity awareness products, solutions and services.

UK Cyber Cluster Collaboration (UKC3)

UK Cyber Cluster Collaboration (UKC3)

UKC3 has been launched to support Cyber Clusters and encourage greater collaboration across regions and nations of the UK.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

ZX Security

ZX Security

ZX Security is a New Zealand owned and operated cyber security consultancy.

Edge Security

Edge Security

Edge Security is an information security research and consulting firm of expert hackers.

VeriBOM

VeriBOM

VeriBOM is a SaaS security and compliance platform that helps protect you and your customers through automation, documentation, and transparency for every software application you build or run.

MadWolf Technologies

MadWolf Technologies

MadWolf’s mission is to deliver enterprise-quality managed services and focused applications to organizations operating in the non-profit, association and international development sectors.

eTech S.C.

eTech S.C.

eTech specialize in a broad range of technology solutions, including software development, cybersecurity, infrastructure, and IT outsourcing (ITO) services.