Enterprises discovering 870 vulnerabilities per day

By Dylan Bushell-Embling
Thursday, 08 November, 2018

Enterprises are identifying an average of 870 unique vulnerabilities per day, with more than 100 of these considered to be critical, according to research from cybersecurity company Tenable.

The company’s Vulnerability Intelligence Report found that almost two-thirds of vulnerabilities that enterprises are finding in their environments have a high severity.

More than 100 vulnerabilities detected per day are ranked as critical on the industry-standard common vulnerability scoring system (CVSS).

Based on analysis of 900,000 vulnerability assessments across 2100 enterprises, Tenable estimates that the industry is on track to disclose 19,000 new vulnerabilities by the end of the year.

This represents a growth of 26.3% from 2017. The number of vulnerabilities published also spiked 53% from 2016 to 2017.

Of the top 20 application vulnerabilities impacting the largest number of enterprises, half are for Adobe Flash, with Microsoft Office accounting for a further 20%.

According to the report, this indicates that companies are struggling to assess and manage the high number of vulnerabilities and are unable to make strategic technology decisions — with Flash set to be discontinued from 2020, organisations should have found alternatives by now.

“When everything is urgent, triage fails. As an industry, we need to realise that effective reduction in cyber risk starts with effective prioritisation of issues,” Tenable Senior Director of Product Management Tom Parsons said.

“To keep up with the current volume and velocity of new vulnerabilities, organisations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organisations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”

The good news is that in 2017, public exploits were available for only 7% of detected vulnerabilities, meaning that 93% of vulnerabilities posed only a theoretical risk.

Image credit: ©iStockphoto.com

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.