2018 Vulnerability Stats Report - Simple things make the difference.

By -


We finally finished off the 2018 edgescan Vulnerability Stats report this week.
Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017.

To that end we did some PCI compliance comparison (given that edgescan is a certified PCI ASV) service in addition to the awesome full stack vulnerability intelligence solution it always has been.

 How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask?

 All vulnerabilities are not created equal.
We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff.
Risk is not linear and reducing vulnerability count does not necessarily translate to significant risk reduction.

If we look at vulnerabilities from a risk-based pragmatic approach the following items should be examined (assuming you wish to keep your estate secure):

APPLICATION LAYER RISK DENSITY
In 2017 we discovered that on average, 27% of all vulnerabilities were associated with web applications and 73% were network vulnerabilities....BUT
The majority of critical and high risk issues were firms situated on the application layer.

So...

  • Network: More noise, more vulnerabilities, less risk.
  • Web/Layer 7: Fewer overall vulnerabilities, higher risk. Most of the weaknesses which could result in a breach are living here.


 This is due to each application being uniquely developed (hosting environments are homogeneous in comparison) and apparent difficulties in managing component version control and patching of third party libraries.

COMPLIANCE AND PCI DSS

Fullstack Cyber Security View:
18% of all vulnerabilities discovered in edgescan had a CVSS v2 score of 4.0 or more.- This is a PCI fail .
Host/Server View:
13% of all vulnerabilities in the network layer had a CVSS v2 score of 4.0 or more. - Also PCI DSS fail
Network/Host View:
32% of ALL vulnerabilities in the web application layer (Layer 7) has a score of 4.0 or more - Also a PCI DSS fail.


CVE LANDSCAPE

 Finally we are still finding a non trivial amount of old vulnerabilities on live Internet facing systems.
People discuss the importance of Zerodays but the root cause of many breaches is exploitation of unpatched systems. Don't worry about Zerodays, focus on patching your current stuff.


In 2017 edgescan found systems without patches for vulnerabilities dating back to 1999.
The most common CVE was from 2004. To see more read the edgescan report here






Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion

By -
Image
I recently was interviewed by the Irish times on why is everything getting hacked and how can we change the game.... https://www.irishtimes.com/special-reports/cybersecurity-focus/criminals-have-an-inbuilt-advantage-in-the-great-cyber-arms-race-1.4651078  A recording of the Panel with Andy Purdy, CSO of Huawei North America. https://www.youtube.com/watch?v=cQJ1uSQ4IEk&t=33s Both are decent and worth a listen.
Read more