Managing vulnerabilities across an organization continues to be challenging amid the increasing frequency of data breaches, according to Rahim Jina, COO and co-founder at vulnerability management solutions firm edgescan.
But analyzing vulnerability data and finding the right way to leverage both security professionals and automation systems and tools can go a long way to successfully dealing with the issue, he said Oct. 3 during a breakout presentation called “Vulnerability Landscape 2019 – Hocus Pocus Refocus” at the HITS Fall event.
Noting edgescan’s vulnerability management platform has been live about five years now, he noted: “We’re looking for vulnerabilities all the time.”
This is the fourth year in which the company has done a report that analyzed vulnerabilities seen in the prior year, he pointed out, telling attendees that, for the last two years, the data has been used as a “subset” of Verizon’s annual Data Breach Investigations Report (DBIR).
“This year we added in an extra piece” to the data covering visibility in which it’s
“profiling assets” — that is, seeing what systems are live and when and what services are running on them, and that’s generated interesting statistics, he said.
Thousands of web applications, application program interfaces (APIs), Internet Protocols (IPs), endpoints and infrastructure are assessed at least monthly with the platform, according to the firm. All vulnerabilities are validated and risk-rated to maintain the accuracy of its statistical model.
The 2019 stats report included both public Internet facing and internal network systems and applications, and its statistics are based on a cross section of industries from not only media and entertainment, but also finance, government, medical research and other fields, according to edgescan.
What it’s found in the last year is that “81 percent of vulnerabilities by volume present themselves in the network layer,” Jina said, but noted that only 2% of the high and critical risk issues were found there. In comparison, 19% of vulnerabilities were found in the application layer during the past year and 19% of the high and critical risk issues were found in that layer, he said.
The most common web/application layer vulnerability found in the past year was cross site scripting, he said, noting it was discovered in 14.69% of incidents. “It’s nearly boring to find it,” he said, adding it “seems to be getting worse.” Another common web/application layer vulnerability is vulnerable components, which was detected 12.36% of the time.
The most common infrastructure vulnerability, meanwhile, was Transport Layer Security (TLS) and Secure Sockets Layer (SSL) version and configuration issues, found in a whopping 44.7% of cases, according to the firm.
The most common known external vulnerabilities related to unsupported Windows Server 2003 systems, seen 33.33% of the time, which Jina said was “crazy,” adding there’s “loads of known issues” with that system that leave it vulnerable to hacking. The most common known internal vulnerabilities, on the other hand, related to Microsoft Windows Server Message Block version 1 (SMBv1), which was detected in 11.40% of all vulnerabilities, according to edgescan.
Another major issue is that it’s often taking a long time for vulnerabilities to be fixed, Jina went on to say, noting it takes an average of 77.5 days to close a vulnerability on the application layer, with critical risk vulnerabilities taking 69 days, high risk ones 83 days, medium risk 74 days and low risk ones 84 days.
It takes an average of 81.75 days, meanwhile, for vulnerabilities to be fixed on the network layer, with 65 days needed on average for critical risk ones, 64 days for high risk, 78 days for medium risk and 120 days for low risk, according to edgescan.
Patching is a frequent way in which vulnerabilities are handled, but it’s not always effective, he said. Many organizations also “fall into the trap” in which they “buy the shiny box” to deal with security issues, he told attendees. But it’s best to leverage the security people you have and figure out where to use automation systems and tools and where to use people because “you really need people” also, he advised, adding: “You can’t use automation alone” because while it’s “great at finding certain types of vulnerabilities,” it’s “useless” at many others.
HITS Fall was presented by Entertainment Partners, with sponsorship by Genpact, VBI, edgescan, LiveTiles, MarkLogic, EIDR, Signiant, Cinelytic, Microsoft Azure, Richey May Technology Solutions and Comcast Technology Solutions.
The event was produced by the Media & Entertainment Services Alliance (MESA) and the Hollywood IT Society (HITS), in association with Women in Technology: Hollywood (WiTH); the Content Delivery & Security Association (CDSA); and the Smart Content Council.