M+E Connections

Vulnerability management services firm Edgescan has released its “2021 Vulnerability Statistics Report,” and the numbers aren’t pretty on the remote work security front.

The report found that remote desktop (RDP) and secure shell (SSH) exposures were up a whopping 40%, almost certainly as a result of increased remote working due to COVID-19.

This resulted in a large increase in the discovery of vulnerabilities including Bluekeep (CVE-2019-0708), the bug behind the Wannacry attack of 2018, the report found.

Edgescan’s sample of a million endpoints profiled in 2020 also showed 21,070 had an exposed database, and more than 65% of the common vulnerabilities and exposures (CVEs) Edgescan found in 2020 are more than three years old, with 32% dating back to 2015 or earlier.

The oldest vulnerability discovered in 2020 was CVE-1999-0517, which is 21 years old.

“I am still as passionate as ever in compiling this report and delving into the underlying data. We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation states and cybercriminal groups. So yes, patching and maintenance are still challenges, demonstrating that it is not trivial to patch production systems,” said Eoin Keary, CEO and founder of Edgescan.

“This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritize on what is important, as not all vulnerabilities are equal. This year we call out which threat actors are leveraging discovered vulnerabilities, which should be food for thought.”

The report concludes that it takes organizations an average of 84 days to remediate high-risk vulnerabilities, the most common malware-related vulnerabilities are between one and three years old, and the most insecure framework on the internet is PHP, accounting for 22.7% of all critical risks discovered last year.

Nearly 14% of all critical risks discovered in 2020 were due to unpatched, unsupported or out-of-date systems, and 33% of discovered vulnerabilities on public internet-facing web applications were high or critical risk.

“With ‘everyone’ working remotely, attackers have focused on the end user now more than ever,” a summary of the report reads. “Phishing attacks, ransomware, data theft are all increasing. Many ransomware and malware attacks are a result of exploitation of CVEs. Remote working makes an attackers life easier due to it being more difficult to maintain and update remote workers devices.”

Ransomware did increase as a result of end-user attacks, and when coupled with phishing attacks, saw a total jump of nearly 50% in 2020, costing organizations roughly $20 billion. That’s a massive increase compared to $11.5 billion in 2019 and $8 billion in 2018.

To access the full report, click here.