This is a guest blog post from our 2022 Secure360 Diamond sponsor, Cisco Secure! Thanks for sharing!
Jerry, what can you tell us about the world of vulnerabilities?
Jerry Gamblin, Director of Security Research, Kenna Security (now part of Cisco): Last year, we saw over 20,000 CVEs (Common Vulnerabilities and Exposures) for the first time ever. That’s 55 CVEs a day.
I don’t know many security teams that are staffed to the level of being able to look at 55 CVEs a day and can understand which ones are important and which ones are not.
We run a model every night, and it looks like there’s going to be over 23,000 CVEs this year. So, we know that this is a problem that is growing bigger.
The truth is that while we talk a lot about vulnerabilities that are popular (everybody knows about Log4j and the Microsoft Exchange vulnerability that came out in early 2021), we’re seeing more vulnerabilities come through on Chrome and Edge in huge waves.
PrintNightmare was one of the most impactful vulnerabilities of 2021. It was so widespread that in the end, Microsoft set an instruction to go back to needing an admin to install printers. It really changed the dynamic of how security teams work in this arena.
What occupied your team’s time during 2021? Can you highlight some of the top vulnerabilities?
JG: We spent a lot of time on the Chrome V8 engine. Microsoft also made a substantial change this year when they moved from Internet Explorer. Now it’s based off Chromium, so we’re making sure our customers understand the switch from an open-source browser from a closed source browser.
We’re also seeing a lot of virtualization vulnerabilities becoming increasingly common. We saw a lot of VMware vulnerabilities this year that we have hadn’t seen in the past.
And we’re starting to see the emergence of what we internally call “Pile-on CVEs.” (We don’t have a good term for it yet…).
For example, a base CVE might come out, and then over the next couple of weeks, you might say, “I looked at the code because it was interesting. And I found this CVE, and this CVE, and this CVE…”
What do these findings and activities that happened in 2021 tell you about what defenders might have to face this year? Are there any vulnerability trends that you can point to?
JG: We know that CVSS isn’t a great predictor of exploitability – and we’re not saying anything here that CVSS themselves don’t say themselves. When we launched our latest Priority to Prediction report, we made the news because we said Twitter is a better indicator of exploitability. What you have to look for generally isn’t in the CVSS score.
Organizations really need to move to a risk-based vulnerability management system, where you’re looking at potential remote code executions. Or if there is a released exploit code for it (that’s the biggest thing that you can do). And what can you do to make sure that the vulnerabilities on your network are being addressed properly?
To help you stay up to date, our blog, blog.Kennasecurity.com has the Prioritization to Predication report which discusses how you can reduce risk with vulnerability prioritization based on risk and real-world exploitation data. And I have a personal project that runs a notebook every day at CVE.ICU that does open-source data analysis on the CVE data set.
For more resources on how to deal with critical threats, head to cisco.com/go/critical-threats