2018 is closing out, and it’s reaching new heights in enterprise level vulnerabilities. According to new research by Tenable, 2018 is poised to set new records for such security flaws.
In their Vulnerability Intelligence Report, Tenable discovered that more than 15,000 new liabilities were added to the Common Vulnerabilities and Exposures (CVE) list this last year. Only 9,837 were added in 2016. The first half of 2018 showed an increase of 27% more than the previous year, and it’s looking like the rest of 2018 will keep that pace. The security industry is set to publish between 18,000 to 19,000 new security flaws by years end.
Enterprise vulnerabilities are defined as a security flaw or weakness found in either the software or operating system that can lead to a compromise in security. A lot of these liabilities are due to organizations running outdated versions of various software packages and platforms, including Microsoft products and even Java and Flash.
In the research, Tenable found there are still enterprises that have Microsoft Windows Server 2000 deployed. The longer any OS is out in the world, the more weaknesses will arise. This makes older operating systems and pieces of software a buffet for bad actors.
It is important to note that the increase in reported susceptibilities may come from bug bounty programs that software companies deploy. With such a spotlight being used in the search for bugs, more vulnerabilities will continue to be found. This is a good thing for security teams and software developers. However, black hats are still causing a rise in cybercrime and they’re still just as good at finding exploits as they ever have been.
Another area of concern besides outdated operating systems is web browsers. In their research, Tenable found that older versions of various web browsers are much more susceptible to vulnerabilities listed in the report. Outdated Firefox browsers had the worst weaknesses of all browser flaws and were the sole source of 53% of the total incidents recorded. The only other browser in contention was older versions of Microsoft Internet Explorer. The most common attack targeting web browsers were from exploit kits. Once inside the network, attackers would use susceptibilities their kit can target and launch cyberattacks like cryptojacking, DDoS attacks, and data theft.
So, what can a company do to protect themselves? Well first, they should have a discovery and audit to inventory all devices in use and find out what needs to be patched. The second action they should take is to look at their patch management policies. By setting up a strict and consistent patch policy, an organization can rest easy knowing their software will be patched on a regular basis. Finally, they should deploy a remote management system to give IT staff access to all devices, including off-network devices, to set times for devices to power on and off for patches. Or, let somebody else handle it for you. CHR Managed Services has the tools and experience to provide remote patch management services.
