15,000 vulnerabilities in 2014

How many affected you? Find out in Secunia’s Vulnerability Review 2015

Vulnerabilities are a huge point of weakness. As an entry point for hackers, they can be exploited to gain access to all your IT systems.

Fortunately, more and more people are aware of the threat posed by vulnerabilities. Statistical information is made readily available, helping people stay informed about an ever-changing security risk.

But while awareness of the issue is growing, IT teams aren’t always safe and secure.

Most successful attacks use known vulnerabilities

According to a 2013 study by the Centre for Strategy and International Studies, 75% of all successful attacks used publically known vulnerabilities. Worse, these vulnerabilities could have been fixed by a patch that was already available.

It’s a shocking statistic, but the reality is hardly surprising. After all, managing vulnerabilities across your entire environment is no easy task.

As it was phrased in a recent Cisco Security Research report, “the proliferation of outdated versions of exploitable software will continue to lead to security issues of great magnitude.”

In summary, it’s a lack of knowledge and visibility that leads to the majority of attacks.

Keeping track of 4,000 products

Part of the problem is that it’s hard to keep track of so many different applications – and their individual vulnerabilities.

Published by Secunia’s Research Team, the annual Secunia Vulnerability Review is a complete analysis of the application vulnerability landscape. According to the latest review, 15,435 vulnerabilities were discovered in 2014. They were spread across 3,870 applications, published by 500 different vendors.

That’s an 18% increase in vulnerabilities since 2013. A 55% increase over the past five years.

And, with more vulnerabilities across almost 4000 different products, keeping up with them all is a complex, time-consuming task.

83% of vulnerabilities have day one patches

There are more vulnerabilities than ever before. But vendors are getting better at dealing with them and issuing patches as soon as possible.

The Flexera Vulnerability Review showed that, of the 15,435 vulnerabilities discovered in 2014, 83% of them had patches available on the day of disclosure. Vendors and developers, it seems, aren’t to blame.

The uncomfortable truth is that IT teams have the solution they need. They can solve their vulnerabilities with a simple patch.

But it’s not that simple.

To apply the patch, you’ll need to know:

  • That there’s a vulnerability
  • That you have a vulnerable installation in your environment
  • How the vulnerability could be exploited to access critical data or obstruct your environment
  • What the best migration strategy is – patching or alternative solutions

The only way to eliminate patches before they’re exploited is to gather this information quickly and get all the knowledge you need – fast.

Intelligence, not information, protects your network

It doesn’t matter how quickly a patch is released. It’s irrelevant how fast developers respond. The only thing that matters is how quickly you can gather the information you need to put the patch in place.

That’s where vulnerability intelligence comes in.

Most IT teams attempt to work with vulnerability information. Partial accounts of new vulnerabilities that have been uncovered. But that’s not enough to support the way IT teams really work.

Vulnerability intelligence plays a role throughout your strategy, including:

  • Vulnerability assessment
  • Patch management
  • Application control
  • Security Information and Event Management (SIEM)
  • Network Access Control (NAC)

So you always understand what’s happening across your applications, where vulnerabilities are present, and how best to resolve them.

Written by