Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017.
How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask?
All vulnerabilities are not created equal.
We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff.
Risk is not linear and reducing vulnerability count does not necessarily translate to significant risk reduction.
If we look at vulnerabilities from a risk-based pragmatic approach the following items should be examined (assuming you wish to keep your estate secure):
APPLICATION LAYER RISK DENSITY
In 2017 we discovered that on average, 27% of all vulnerabilities were associated with web applications and 73% were network vulnerabilities....BUT
The majority of critical and high risk issues were firms situated on the application layer.
- Network: More noise, more vulnerabilities, less risk.
- Web/Layer 7: Fewer overall vulnerabilities, higher risk. Most of the weaknesses which could result in a breach are living here.
This is due to each application being uniquely developed (hosting environments are homogeneous in comparison) and apparent difficulties in managing component version control and patching of third party libraries.
COMPLIANCE AND PCI DSS
Fullstack Cyber Security View:18% of all vulnerabilities discovered in edgescan had a CVSS v2 score of 4.0 or more.- This is a PCI fail .
13% of all vulnerabilities in the network layer had a CVSS v2 score of 4.0 or more. - Also PCI DSS fail
32% of ALL vulnerabilities in the web application layer (Layer 7) has a score of 4.0 or more - Also a PCI DSS fail.
Finally we are still finding a non trivial amount of old vulnerabilities on live Internet facing systems.
People discuss the importance of Zerodays but the root cause of many breaches is exploitation of unpatched systems. Don't worry about Zerodays, focus on patching your current stuff.
In 2017 edgescan found systems without patches for vulnerabilities dating back to 1999.
The most common CVE was from 2004. To see more read the edgescan report here