Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating

By Alastair Williams SEPT 21, 2021

If your network security firewalls are breached and data stolen, it might have been those shady characters hanging out by your office fish tank. Sound fishy? We’ll explain later.

Our new Vulnerability and Threat Trends Mid-Year Report discovered the number of vulnerabilities exploited in the wild grew 30% in H1 2021 compared to the same period last year. We also found that two areas particularly vulnerable are network devices and operational technology (OT), which saw a sharp increase in vulnerabilities in H1 2021 with 519 CVEs (common vulnerabilities and exposures) compared to 356 CVEs in H1 2020. That’s a leap of almost 50%.

Attackers are now increasingly targeting medium-severity vulnerabilities as the first step to launching multistage attacks. Turns out, it’s not the high-profile vulnerabilities that are always the most dangerous. Sometimes it’s the ones hiding and quietly snowballing in your network for years that can leave you susceptible to a crippling attack.

The report highlights how the sheer volume and variety of accumulated security debt—hundreds of thousands or even millions of vulnerability occurrences within some large organizations—means that security teams can’t possibly isolate and patch all of them. It simply can’t be done. Nor do they need to. Some vulnerabilities, even those rated as high severity according to the CVSS (Common Vulnerability Scoring System), pose little or no risk because attackers can’t get to them. Others, even when rated as low or medium severity, can present a clear and present danger because of their accessibility and/or being actively exploited in the wild. It’s therefore critical to measure actual exposure and identify the greatest, most immediate risks to the organization, regardless of CVSS severity of the vulnerabilities.

This finding is proof that CVSS (Common Vulnerability Scoring System) severity does not equal actual security risk. It also points to the growing need for a new approach to security that prioritizes the most dangerous vulnerabilities — critical to companies without the resources or expertise to even think about patching everything. vulnerabilities and correlates this data with an enterprise’s unique network configurations and security controls to companies without the resources or expertise to even think about patching everything.

Cybersecurity vendors that define “exposure” as a simple correlation between known exploits in the wild and “critical vulnerabilities” are misleading. One flaw with this definition is that it does not consider the many potential “paths” across a network that a cyber threat actor may take to successfully gain access within a system and allow them to take advantage of a vulnerability. Another flaw is that it does not take into account an enterprise’s unique network configurations and security controls.

Network devices are not safe

Network devices were also determined to be in the crosshairs of attackers. The number of vulnerabilities in network devices, such as routers, switches, firewalls, and their operating systems, rose nearly 20% in the first half of 2021. When it comes to sources of network vulnerabilities, often it’s the firewalls and VPNs themselves that are introducing new weaknesses and blind spots. Ironic, huh?

Like OT, network devices are an Achilles heel for many organizations. These devices and machines are critically important parts of the infrastructure; however, their security flaws are often invisible because network devices are difficult or impossible to scan effectively. The vulnerabilities are often widespread, popping up repeatedly in affected devices. For example, a critical vulnerability was reported earlier this year in BIG-IP server appliances used to perform tasks such as load balancing and DDOS (distributed denial of service) mitigation.[1]

With the rapid adoption of Internet of Things (IIoT) devices, it’s not enough to secure the traditional on-prem enterprise network — you now have to secure everything from your plant floor machinery to even your fish tank. You may recall the story of the casino that got hacked when attackers used the fish-tank thermometer to swim upstream in the network, snag the casino’s VIP high roller database, pull that sensitive information out of the thermostat and put it in the cloud.[2]=

The point is that the volume of exposures is increasing so fast and so exponentially that companies can’t patch them all. They need visibility and insights to prioritize and plug the most dangerous holes in their security dike. This leads us back to the report’s finding of the importance of true exposure analysis and how it’s defined.

Context is critical to prioritizing the most dangerous vulnerabilities

To fully understand exposure relative to each vulnerability, it’s essential to understand both the external threat context and the network configurations and security controls. For example, if a vulnerability doesn’t have a proof-of-concept exploit or isn’t being actively exploited, it poses a lesser threat.  Further, exposure analysis requires an understanding of the context of each vulnerability within the enterprise’s unique network topology and security environment. If there is no viable path to reach a vulnerable system or asset, this also poses a lesser threat.

Without proper network context, a high severity vulnerability to your cul-de-sac of non-critical printers could be given much higher priority over a low-risk vulnerability (fish thermometer) that offers a hidden path to your precious customer data. In other words, businesses fooled by an inadequate exposure analysis solution can bar their castle’s front gates but forget about the small, back-door dimly lit passageway that leads directly to their data gold.

Exposure analysis must determine which attack vectors or network paths could be used to access vulnerable systems. Path analysis, coupled with attack simulation, is the most precise way to determine how exposed your network might be to a possible breach. This is only possible when disparate data repositories are normalized and brought together into a network model, including patch and asset management systems, vulnerability data, threat intelligence feeds, cloud, and network device configurations.

If you can’t effectively connect your data, you can’t see it; and if you can’t see it, you can’t model it. A network model provides a dynamic representation of hybrid environments across traditional IT, private cloud, public cloud, and OT. This enables the identification of exploitable vulnerabilities and correlates this data with unique network configurations and security controls to determine if the system is potentially exposed to cyberattacks from one or more threat origins.

Most enterprises have thousands of devices deployed and patching all of them could take months or years, putting a massive strain on resources. Instead, companies and governments need a vulnerability management solution that enables them to identify the specific systems that present actual risk and remediate them before threats have a chance to sneak into their fish tanks.

Download the Vulnerability and Threat Trends Mid-Year Report 2021 to learn more.

[1] Hackers are exploiting a server vulnerability with a severity of 9.8 out of 10, Ars Technica, March 19,2021
[2] A Casino Gets Hacked Through a Fish-Tank Thermometer, Entrepreneur April 14, 2021