SKYBOX SECURITY has released its latest "Vulnerability and Threat Trends Report," which analyzes the vulnerabilities, exploits, and threats in play over the previous year.
What stands out first from the data is the sheer volume of new vulnerabilities published in 2018. The National Vulnerability Database assigned 16,412 new common vulnerabilities and exposures (CVEs), a 12% increase over the previous year. That may seem like a small climb, but the 2017 figure already was an all-time high, and Marina Kidron, director of Threat Intelligence, believes these record-breaking figures are the new normal.
"It would come as no surprise if 2019 breaks the CVE record again," says Kidron. "While more resources in vulnerability research are what's driving these high numbers, that's cold comfort to [chief information security officers] trying to keep their organization safe. The challenge of answering, 'What do I fix today?' is only getting harder--unless you have the right information to contextualize this mountain of data."
Ron Davidson, chief technology officer and vice president of research and development, echoed a similar sentiment: "If you're hanging your vulnerability management strategy on fixing CVSS [common vulnerability scoring system] critical- or high-severity vulnerabilities, 2018 added about 9,000 vulnerabilities to that list; it's simply no longer practical to 'focus' attention on this large group."
Exploitability--what's being used in the wild, what sample code is available--is a more-important indicator of what should get attention first. It's something many vulnerability management programs lack, so their resources are going in the wrong place and they're not moving the needle on risk."
Other findings of the report detail risks to the growing attack surface, including operational technology (OT) networks. Attacks on OT continue to climb, with a 10% increase between 2017-18. While these attacks range in motive and impact, the WannaCry outbreak in Taiwan Semiconductor Manufacturing Company was a prime example of how a cyber-criminal tool like ransomware, nation-state threats, and internal exposure can create the perfect storm to wreak havoc on a network, as well as a company's bottom line.
The report also warns of a false...