HITS

2019 Vulnerability Stats Report Out From edgescan (HITS)

edgescan released their “Vulnerability Stats Report 2019” which describes both internal and external facing risks faced by typical organizations across the entire stack from a cyber security standpoint.

Key items covered are:

edgescan research has uncovered that vulnerabilities which are over 20 years old still exist in live Internet facing systems. 81.58% of systems had at least one CVE (Common Vulnerability) and 20.57% of systems assessed had more than 10 CVE’s

81% of all vulnerabilities in enterprise IT systems are network vulnerabilities and only 19 percent are application vulnerabilities, but the area of exposure is still in the application layer; 19% of application vulnerabilities are either high or critical risk, compared to just 2% of network vulnerabilities.

According to their research, it takes an average enterprise about 69 days to patch a critical web application vulnerability and 65 days to patch the same in its infrastructure layers.

The edgescan research go on to cover off exposed services facing the Public Internet. In 2018 they discovered over 750 exposed databases, 7,625 Remote Desktop Services (RDP).

In relation to compliance, edgescan a certified PCI ASV, describes that 68% of all vulnerabilities discovered had a CVSS score of above 4.0 which results in a PCI compliance fail.

The full report can be downloaded here.