2021 was another record-breaking year for the discovery and disclosure of new common vulnerabilities and exposures (CVEs), according to analysis of the US Department of Commerce’s National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD).
Analysts at cyber services firm Redscan – part of risk management specialist Kroll – who have been poring over the NVD’s figures, said there were 18,439 CVEs logged in 2021 to date, more than in any other year since records began, averaging more than 50 every day.
They said the continuing trend of more and more bugs being logged reflected the rapid evolution of the threat landscape, and the difficulty security researchers face in keeping up; as everybody knows by now, 2021 has been a tough year for security teams, with dramatic spikes in ransomware attacks, the rise and rise of supply chain compromises, and the continuing impact of Covid-19.
“Sadly, 2021 being a record-breaking year for vulnerabilities is in line with our expectations at the start of a year that has proved very difficult for security pros,” said George Glass, head of threat intelligence at Redscan.
“Cyber crime and security vulnerabilities are evolving all the time, and security teams are struggling to stay up-to-date. This milestone is also a reminder of the continued importance of patch management and defence in depth.
“Not all vulnerabilities are known and patched, which means security teams must have controls in place to detect and respond to attacks in their infancy before they can do real damage,” he said.
Of particular concern is a notable uptick in the number of CVEs classed as being of low- or medium-severity. “The prominence of highly available CVEs that require limited technical skills to exploit and no user interaction is naturally a concern for security teams,” said Glass.
Limited technical skills required
Indeed, approximately 90% of all new CVEs logged on the NVD in 2021 could be exploited by threat actors with limited technical skills, while 54% of new bugs were classed as having high availability, which means they are readily accessible and exploitable. Moreover, CVEs that require no user interaction – such as clicking on a malicious link or downloading a tainted file – now account for 61% of the total volume.
There is also the added complication that seeing a vulnerability has been classed as being of low-impact could mean security teams with responsibility for patching their systems pass over them in favour of fixing high-impact, critical flaws that attract more attention.
However, Glass’s team did find some reasons to be cheerful, with the number of new CVEs that require no elevated privileges to exploit dropping for the third year on the trot, down to 55% of the total number, from 59% last year and 66% in 2019. Additionally, the number of new vulnerabilities with a high confidentiality rating, meaning they are considered likely to put confidential data at risk of exposure, dropped from 59% to 53%.
Redscan’s figures were pulled at 9am GMT on 8 December 2021, so the final figures for the year will almost certainly vary – particularly after Microsoft’s final scheduled Patch Tuesday release of the year, which will drop on 14 December.
Meanwhile, ethical hacking and penetration testing specialist HackerOne has also reported a bumper year for vulnerabilities, with hackers working through its platform reporting more than 66,000 valid vulnerabilities in 2021, up 20% on 2020, as pandemic-induced digital transformation efforts, and outsourcing to third parties and cloud providers, continue to expose more attack surfaces.
In its annual Hacker-powered security report, HackerOne said it also found bug bounty prices for high- and critical-rated vulnerabilities are also on the rise – critical bugs now fetch $3,000 (£2,270/€2,652) on average, up from $2,500 in 2020 – and positively, users are getting quicker at remediating them.
“Even the most conservative organisations are recognising the power of the outsider point of view,” said Chris Evans, HackerOne’s newly appointed chief information security officer and chief hacking officer. “We’ve continued to see high growth in the financial services sector, for example.
“Measuring and quantifying risk is their business, and they’re seeing that both risk and business outcome is better if they embrace hackers. Across the board, we’re seeing customers using vulnerability report data to inform their software development lifecycles.
“Organisations are catching issues earlier, and remediating them, at greatly reduced cost by focusing on improvements to developer education, source code integrations and development frameworks,” he said.
HackerOne also revealed that the adoption of hacker-led security initiatives is up across all surveyed verticals, with a 34% increase in customer programmes this year. The most widespread bugs reported on its platform were cross-site scripting vulnerabilities, although other categories of vulnerability are also on the rise.