Redscan, the Managed Detection and Response and Penetration Testing specialist, today released its new report ‘NIST security vulnerability trends in 2020: an analysis‘.
NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity – an all-time high. Redscan’s analysis also looks beyond severity scores, detailing the rise of low complexity vulnerabilities as well as those which require no user interaction to exploit. These trends may be of concern to security teams, highlighting the need for organisations to focus patch management efforts and adopt a multi-layered approach to vulnerability management. However, there are also positive trends, such as a decrease in CVEs which require no privileges to exploit.
NIST is the US National Institute of Standards and Technology, and its National Vulnerability Database (NVD) is a repository of Common Vulnerabilities and Exposures (CVEs). The Redscan report focuses on vulnerabilities added to the NVD in 2020, examines wider CVE trends since 1989 and offers security advice to organisations. Key findings include:
- More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 CVEs per day
- 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high’ severity (10,342)
- Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020
- Vulnerabilities which require no user interaction to exploit are also increasing, representing 68% of all CVEs recorded in 2020
- Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020)
- 2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers
“Analysis of the NIST NVD presents a mixed outlook for security teams,” said George Glass, Head of Threat Intelligence at Redscan. “Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit.
“When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score. Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges. Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages.
“Identifying which vulnerabilities to prioritise is a perennial challenge in IT security, especially as the number of CVEs only continues to grow. To aid decision-making, security teams need a practical understanding of the potential impact vulnerabilities pose and how readily they are being exploited in the wild. Defence in depth is also important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organisation’s defences. The trick is having supplementary controls in place, such as continuous network and endpoint monitoring, to mitigate risks.”