A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
This means that 7,900 security bugs remained without a CVE-2017-XXXXX number, and were left off the databases of many security scanners because of it.
Furthermore, this also means that many security bugs remained buried on forums and personal blogs —places where attackers might have the time to scout, but where many IT security departments will never look.
This isn’t the first time that MITRE’s Common Vulnerability Enumeration (CVE) and the DHS’ National Vulnerability Database (NVD) have fallen short of identifying and categorizing all security flaws during a year, something that’s becoming of a habit for the two organizations this past decade.
The reasons are plenty, but one of them is the explosion of security bugs in IoT devices, which has made it harder for Mitre and NVD staffs to keep up with all the bugs.
Furthermore, almost 7,000 2917 vulnerabilities received a RESERVED CVE status, with no public details available, despite 1,342 of them having a public disclosure. “This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data,” RBS experts concluded.
⛔ 39.3% of all vulnerabilities received a CVSSv2 score of 7 or higher.
⛔ 44.5% of vulnerabilities that did not receive a CVE had a CVSSv2 score of 7 or higher.
⛔ 44.8% of all vulnerabilities went through coordinated disclosure with the vendor.
⛔ 5.9% of 2017 vulnerabilities were reported through bug bounty programs.
⛔ Twelve companies accounted for 54.25% of all security bugs.
⛔ Web-related vulnerabilities accounted for 50.6% of all flaws.
⛔ 31.5% of 2017 vulnerabilities have public exploits.
⛔ 48.5% of 2017 vulnerabilities can be exploited remotely.
⛔ 24.1% of 2017 vulnerabilities have not received a patch.
⛔ Cross-Site Scripting (XSS) was the most encountered security bug (28.9%).
⛔ Google products were affected by 503 bugs with a CVSSv2 score of above 9.
⛔ Google Pixel/Nexus devices were affected by 354 bugs with a CVSSv2 score of above 9.
⛔ Half of all the cryptocurrency flaws tracked by RBS were reported in 2017 (60 out of 121).
⛔ 18.77% of vulnerabilities not found in CVE/NVD are scored as
Critical Risk, (9.0 –10).
⛔ Google products amount for most bugs not included in CVE/NVD (125), followed by Trend Micro (70), SAP (57), Open Source Geospatial (48), and Jenkins CI (31).
⛔ Chrome OS is the top product when it comes to vulnerabilities without a CVE/NVD identifier (88).
But Risk Based Security’s work wasn’t limited to analyzing the 2017 vulnerability landscape alone. The company also published the 2017 Year End Data Breach QuickView report, in which it took a look at the overall state of data breach reporting.
Just like its report on 2017’s vulnerabilities, 2017 also saw a record-breaking number of security incidents, with 5,207 data breaches that exposed a whopping 7.89 billion user records, both 20% and 24.2% increases over the previous high mark set in 2015 and 2016, respectively. This report’s main findings are below:
⛔ 40% of 2017’s breaches could not be tracked to their source.
⛔ Web-based unintentional exposure was the leading cause for most of 2017’s exposed records (68.7%), but barely accounted for 5% of all breaches.
⛔ Most breaches occurred because of hacking (55.8% of incidents).
⛔ 89 breaches leaked over 1 million records in 2017.
⛔ 2017 finished with 8 breaches on the Top 20 List of All Time Largest Breaches.
⛔ Despite more breaches –and more large breaches– taking place in 2017, nearly 60% of incidents exposed between 1 and 10,000 records.