For our 6th Year running, welcome to the Edgescan Vulnerability Stats Report. This report aims to demonstrate the state of full stack security based on thousands of security assessments performed globally, as delivered by the Edgescan SaaS during 2020.
I am still as passionate as ever in compiling this report and delving into the underlying data, as it gives unique insight into what’s going on from a trends and statistics perspective and indeed a snapshot of the overall state of cyber security.
The Edgescan report has become a reliable source for truly representing the global state of cyber security vulnerability management. This is becoming more evident as our unique dataset is now also part of other annual security analysis reports, such as the OWASP Top 10 and Verizon DBIR (we are happy contributors for many years now).
This year we took a deeper look at vulnerability metrics from a known vulnerability (CVE), Malware, Ransomware and visibility standpoint (exposed services), coupling both internal and public Internet-facing systems.
We still see high rates of known (i.e. patchable) vulnerabilities which have working exploits in the wild, used by known nation state and cyber criminal groups. So yes, patching and maintenance is still a challenge, demonstrating that it is not trivial to patch production systems. The MTTR (Mean Time to Remediation) stats also reflect on this issue. Detection on a constant basis needs improvement and as I’ve always said, visibility is paramount.
The web application layer is where the majority of risk still resides, but some lower layer (Host/Operating system/Protocol) issues, if discovered, could also present headaches if exploited. CVE’s as old as 2015 are being used by ransomware and malware toolkits to exploit systems within “the perimeter“.
Visibility is a key driver to cyber security and based on our continuous asset profiling we discuss how common sensitive and critical systems are exposed to the public Internet. For example we saw in increase by 40% of exposed remote desktop services due to the increase in remote working during the year. The assumption here is that enterprises simply did not have the visibility or systems in place, to make them aware of, or inform them of the exposure.
Similar to last years report, we also delve into “internal” cyber security, looking at metrics which may not seem as important, but are a valuable defense in the case of malware infection, ransomware and other internal attacks.
Such malware, ransomware and APT actors leverage common vulnerabilities in corporate networks to spread across the enterprise. This report provides a glimpse of a global snapshot across dozens of industry verticals and how to prioritize on what is important, as not all vulnerabilities are equal. This year we call out which threat actors are leveraging discovered vulnerabilities, which should be food for thought.