A New Generation Of Critical Vulnerabilities

Cyber security professionals should be concerned about the fact that more than two thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit. Attackers exploiting these vulnerabilities don’t even need their targets to unwittingly perform an action, such as clicking a malicious link in an email. This means that attacks can easily slip under the radar.   
 
According to a  new report from Redscan a record number of critical and high severity vulnerabilities were logged to the US National Institute of Standards (NIST) Vulnerability Database NIST NVD in 2020.  Redscan's analysis shows  a notable rise in lo the large volume of vulnerabilities which now require user privileges and this one of the reasons why phishing remains a primary tactic of cyber criminals.
 
Users with a high degree of privileges, such as system administrators, are a prize target because they are able to open more doors for attackers. 
 
NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity which is an all-time high. Redscan’s analysis looks beyond severity scores, detailing the rise of low complexity vulnerabilities as well as those which require no user interaction to exploit. These trends may be of concern to security teams, highlighting the need for organisations to focus patch management efforts and adopt a multi-layered approach to vulnerability management. 
 
There are also positive trends, such as a decrease in Common Vulnerabilities and Exposures (CVE)s which require no privileges to exploit.  Key findings include:  
 
  •  More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 CVEs per day.
  • 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high’ severity (10,342).
  • Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020. 
  • Vulnerabilities which require no user interaction to exploit are also increasing, representing 68% of all CVEs recorded in 2020.
  • Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020.
  • 2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers. 
Analysis of the NIST NVD presents a mixed outlook for security teams, according to George Glass, Head of Threat Intelligence at Redscan. "Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit... When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score."
 
Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges.  Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages. 
 
Identifying which vulnerabilities to prioritise is a perennial challenge in IT security, especially as the number of CVEs only continues to grow. To aid decision-making, security teams need a practical understanding of the potential impact vulnerabilities pose and how readily they are being exploited in the wild. 
 
Defence in depth is also important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organisation’s defences. Best practice lies in having supplementary controls in place, such as continuous network and endpoint monitoring, to mitigate risks.
 
NIST Vulnerability Analysis 2020:
 
You Might Also Read: 
 
Connected Devices Must Be More Secure:
« Facebook Unfriends Australia
New Cyber Training For Security Professionals »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Galaxkey

Galaxkey

Galaxkey is a data protection product that protects email, documents and any data using access control and an encryption platform.

Global Secure Solutions (GSS)

Global Secure Solutions (GSS)

Global Secure Solutions is an IT security and risk consulting firm and authorised ISO training partner for the PECB.

Allgress

Allgress

Allgress solutions converge disparate risk silos across enterprise networks and automate governance, risk and compliance management processes.

Introspective Networks

Introspective Networks

Introspective Networks (IN) is a Cybersecurity company focusing on securing data in the network and automating knowledge work to decrease vulnerability points to critical infrastructure.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

Quantstamp

Quantstamp

Quantstamp are experts in Smart Contract Security Audits. We provide verification that your decentralized system works as intended.

Sigma IT

Sigma IT

SIGMA IT is one of the largest IT services organizations in EMEA region providing a full range of solutions and services including cybersecurity, data protection and business continuity.

Dynatrace

Dynatrace

Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation.

Phakamo Tech

Phakamo Tech

Phakamo Tech offers a full set of governance, risk, compliance, cybersecurity and Microsoft Cloud services that include consulting, planning, implementation and cyber incident response.

Laminar

Laminar

Laminar provides the only Public Cloud Data Protection solution that provides full visibility and enforcement capabilities across your entire public cloud infrastructure.

HEQA Security

HEQA Security

HEQA Security (formerly QuantLR) offer the world’s most cost-effective, easy-to-integrate, and secure Quantum Key Distribution (QKD) solution

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.

Sayers

Sayers

Sayers is best known for its ability to solve business challenges with IT solutions. Our areas of expertise include cloud, storage, virtualization, security, mobility and networking.

Zeron

Zeron

Zeron build bridges between security teams and top management. Our platform unifies your cyber risk posture seamlessly, encompassing threat insights and quantifiable risk scenarios.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.