Vulnerability disclosures are on a pace to set a record-breaking year, a new report found.
Having said that, vulnerabilities in SCADA products only accounted for 1.7 percent of all reported vulnerabilities in 2017, down from 2.8 percent in 2016. It is hard to determine if this decline in the number of vulnerabilities found in SCADA products is the result of researchers no longer focusing on SCADA products or something else, said researchers at Risk Based Security in their 2018 Q1 Vulnerability QuickView Report. “Based on our knowledge of SCADA, it is hard to imagine it is due to SCADA security improving or vulnerabilities being more difficult to find,” they said.
As more and more vulnerabilities are reported, organizations are forced to spend an increasing amount of time and resources to stay properly informed about the weaknesses affecting their IT infrastructure and applications, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report.
There is a further cost of ownership, as vulnerabilities disclosed also require proper prioritization, triage, and remediation.
Key findings of the report include:
• 5,375 unique vulnerabilities were reported. This is just a 1.8 percent increase over the same period in 2017. Note this number will continue to rise throughout 2018.
• 1,790 (33.3 percent) of the vulnerabilities tracked do not have a CVE ID assigned and, therefore, are not available in NVD and similar databases solely relying on CVE. 19.7 percent of these vulnerabilities have a CVSSv2 score between 9 and 10.
• 32.7 percent of the vulnerabilities have public exploits or sufficient details available to trivially exploit.
• 49.1 percent of the vulnerabilities are remotely exploitable.
• 74.3 percent of the vulnerabilities have a documented solution i.e. proper workaround, patch, or fixed version.
When looking at the issues disclosed in Q1, about 75 percent of the reported vulnerabilities did have a documented solution available. However, that still leaves over 1,300 of the disclosed vulnerabilities with no viable solution.
That means organizations relying solely on patch management software for vulnerability remediation are failing to address weaknesses in their infrastructure and applications.
Administrators are beginning to realize that better awareness of disclosed vulnerabilities is critical to their operations. Along with this, comes the realization their organization cannot rely on patch management solutions alone.
Click here to register for the full report.