A record number of critical and high severity vulnerabilities were logged to the National Institute of Standards and Technology (NIST) and its National Vulnerability Database (NVD) in 2020. THE NVD is a repository of Common Vulnerabilities and Exposures (CVEs) reported by security professionals, researchers and vendors. It is used by security teams around the world to stay up to date with security vulnerabilities as they are discovered.

In January 2021, Redscan performed an analysis of the NVD to examine security and vulnerability trends. Their report focuses on vulnerabilities discovered in 2020, but also highlights wider CVE trends that have emerged since 1989.

Key findings include:

• More security vulnerabilities were disclosed in 2020 (18,103) than in any other year to date – at an average rate of 50 CVEs per day
• 57% of vulnerabilities in 2020 were classified as being ‘critical’ or ‘high severity’ (10,342)
• There were more high and critical severity vulnerabilities in 2020 than the total number of all vulnerabilities recorded in 2010 (4,639 including low, medium, high, and critical) 
• Nearly 4,000 vulnerabilities disclosed in 2020 can be described as ‘worst of the worst’ – meeting the worst criteria in all NVD filter categories 
• Low complexity CVEs are on the rise, representing 63% of vulnerabilities disclosed in 2020 
• Vulnerabilities which require no user interaction to exploit are also growing in number, representing 68% of all CVEs recorded in 2020 
• Vulnerabilities which require no user privileges to exploit are on the decline (from 71% in 2016 to 58% in 2020) 
• 2020 saw a large spike in physical vulnerabilities
• 70% of vulnerabilities expose a network-based attack vector

Oliver Tavakoli, CTO at Vectra, says, “The fact that 70% of the vulnerabilities expose a network-based attack vector is particularly concerning. As organizations have been moving to the cloud, this data is particularly worrisome as cloud patching strategies and security capabilities are generally less mature there. Coupled with the fact that the percent of attacks of low complexity is at its highest percentage since 2006, the need to patch smartly is clear – and given the impossibility of patching everything in real time, detection and response capabilities, particularly in the network, are necessary for organizations to achieve reasonable security resilience.”

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, explains, “It’s not surprising that the number of CVEs is continuing to grow rapidly. The worlds dependence on software, and the fact that vendors take further responsibility on their own software’s security (especially after the SolarWinds incident), will lead vendors to disclose even more vulnerabilities. Eventually, this means one thing to the enterprise - it needs to adapt to a more scalable and robust remediation operation, that is not human dependent, but automated and effective. Even though there have never been more vulnerabilities classified as ‘critical’ or ‘high severity,’ the more important classification is whether or not the vulnerabilities create risk to your business. Your cybersecurity team must be able to prioritize vulnerabilities by assigning custom risk scoring that are relevant to your business."

Bar-Dayan adds, "Consider your unique risk tolerance, prioritize vulnerabilities based on severity of risk and the specific threat to business assets. Then fix what matters most. Identification and prioritization of vulnerabilities is simply a good start. The majority of the work still rests with IT operations and DevOps teams to actually remediate the vulnerabilities. Security teams need to work with their friends in IT if they want to win whack-a-mole, vulnerability remediation edition. Security teams must stop sending IT folks on a wild fix chase. Get the right remedies to the right people, right away, be it a patch, configuration script, workaround, compensating control or mitigating action. Help them get the most out of their favorite patch and configuration management, and endpoint security tools, to get actual “fix” done at scale.”

For detailed findings, please visit https://www.redscan.com/media/Redscan_NIST-Vulnerability-Analysis-2020_v1.0.pdf