How has the vulnerability landscape changed over the past decade? Coinciding with the company’s 10-year anniversary, Kenna Security, the enterprise leader in risk-based vulnerability management, has released a data-driven review of the vulnerability trends and risks that have shaped cybersecurity over the past decade.
“So much of cybersecurity has changed over the past decade, but one thing has stayed the same: it involves running from one crisis to another,” said Ed Bellis, founder and CTO of Kenna Security. “It’s rare for practitioners to have a chance to look back and see how their jobs have changed. But major shifts over the past decade can provide new clues about what the future holds for cybersecurity.”
The number of total vulnerabilities discovered per year has exploded from 4,100 in 2011 to more than 17,500 in 2020. Yet the proportion of vulnerabilities that hackers have been willing or able to weaponise has not kept pace. While the overall volume of vulnerabilities reported each year has quadrupled, the percentage of newly discovered vulnerabilities that have been exploited in the wild has declined to just 0.38 per cent from a high of 1.64 per cent in 2012.
And yet, CVSS, a commonly used metric that some enterprise security teams use to prioritise vulnerability management, does not offer clarity. Over 13 per cent of CVEs have a CVSS score of 9 or greater, even though the vast majority have never been exploited in the wild.
Kenna Security’s analysis also found:
- Just 0.18 per cent of vulnerabilities – a total of 171 – have a Kenna Risk Score of 100, representing the highest risk vulnerabilities from the past ten years. They have an average CVSS score of 9.
- Numerous vulnerabilities with a Kenna Risk Score of 100 have CVSS scores that are far lower. In fact, the average CVSS score for this class of critical vulnerabilities in 2018 was 7.6, and it was 8.7 in 2017.
- There’s also been a shift in the vendors whose products often have vulnerabilities with a 100 Kenna Risk Score. Between 2011 and 2014, vulnerabilities affecting Adobe, Oracle Java, Microsoft Internet Explorer, and Mozilla dominated the list. Recently discovered critical vulnerabilities, which tend to focus on cloud platforms and servers, affect a more diverse set of products and vendors.
- More than one-in-four vulnerabilities involved remote code execution, while nearly one-in-five involved denial of service.
Over the past ten years, Kenna Security has made several major contributions to the cybersecurity community, including the Exploit Prediction Scoring System, a free tool that helps companies assess the danger of individual vulnerabilities. The company’s Prioritization to Prediction series, now in its sixth volume, has leveraged Kenna’s unique dataset to show that companies have the capacity to mitigate just one out of every ten vulnerabilities.
“We founded Kenna a decade ago because CISOs and their security teams were overwhelmed by the number of vulnerabilities on their systems and the lack of rational and effective ways to manage them,” continued Bellis. “Now as we look back on the last ten years, it’s clear that the challenge has only grown. But there is light at the end of the tunnel. Approaching this challenge with data science and a focus on risk can level the playing field for CISOs. This has made modern vulnerability management more manageable and efficient.”