Analysis: Critical and High Severity System Vulnerabilities Reach Record High in 2020
Hackers are exploiting their victims by capitalizing on low complexity vulnerabilities and those that require no user interaction, a new analysis of some 18,000 network weaknesses found.
Redscan, a London-based managed security service provider (MSSP) specializing in managed detection and response (MDR) and penetration testing, said the results of its NIST Security Vulnerability Trends in 2020 highlight the need for organizations to adopt a multi-layered approach to manage vulnerabilities.
The study’s foundation is based on system vulnerabilities logged by the U.S. National Institute of Standards and Technology (NIST) and its National Vulnerability Database (NVD), which serves as a repository for Common Vulnerabilities and Exposures (CVEs).
Redscan’s report is directed at vulnerabilities added to the NVD in 2020 and examines CVE trends since 1989, the MSSP said. A positive data point that stands out is a decline in CVEs that require no privileges to exploit, the company said.
Key findings include:
- More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date, at an average rate of 50 CVEs per day.
- 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high’ severity (10,342).
- Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020.
- Vulnerabilities which require no user interaction to exploit are also increasing, representing 68% of all CVEs recorded in 2020.
- Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020).
- 2020 saw a large spike in physical and adjacent vulnerabilities, likely due to the proliferation of IoT and smart devices in use and being tested by researchers.
“Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges,” said George Glass, who heads threat intelligence at Redscan. “Underestimating what appear to be low risk vulnerabilities can leave organizations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages,” he said.
Glass offered some recommendations to help IT security teams handle the growing number of CVEs:
- To aid decision-making on which vulnerabilities to prioritize, security teams need a practical understanding of the potential impact vulnerabilities pose and how readily they are being exploited in the wild.
- Defense in depth is important. Not all vulnerabilities are known and patched, so persistent attackers may eventually find a way to breach an organization’s defenses.
- Set supplementary controls in place, such as continuous network and endpoint monitoring, to mitigate risks.