When you are an IT security manager trying to protect data and systems against hackers and malware, you have to pay special attention to how you manage vulnerabilities. Minimizing the level of vulnerabilities across the organization and blocking potential attack paths is no easy feat. Plus, it seems the challenge gets harder each year.
Our Skybox Research Lab analyzes over 20 sources of vulnerability data, providing an in-depth examination of the threat level that published vulnerabilities impose on enterprise IT environments. Here is a look back at some vulnerability trends culled from our 2013 data. Consider how these trends might impact your vulnerability management strategy and processes for 2014.
The Skybox Research Lab identified the following vulnerability trends in 2013:
- Data center vulnerabilities,including products found in enterprise data centers and servers, grew a weighted 38% in 2013 primarily due to the large increase in the number of medium to severe runtime framework and operating system vulnerabilities.
- Runtime framework vulnerabilities, including Java, .Net, XML Core Services and others, saw a lot of activity in 2013, including sharp quarterly increases and decreases following the release of Oracle critical patch advisories. In the end, runtime framework vulnerabilities closed the year with an annual weighted increase of 79%. Java is responsible for more than 95% of the runtime framework vulnerabilities, which saw a significant volume of cybercriminal exploits this year.
- While endpoint vulnerabilities, including desktop devices used in enterprise environments, maintained a fairly consistent volume throughout 2011 and 2012, they grew significantly in 2013, climbing a weighted 92% annually. The primary reason for this growth is due to the high volume of published Java and Web browser vulnerabilities.
- Web browser vulnerabilities grew a weighted 103% in 2013, primarily from Internet Explorer and Flash vulnerabilities. This growth poses high risk to enterprises as Web browser zero-day vulnerabilities remain a popular attack vector as seen in Internet Explorer vulnerability CVE-2013-3893, which went unpatched for nearly two months while attackers used the vulnerability to target Japanese financial firms.
Let’s sum that up as a major increase in Java and other runtime framework vulnerabilities, Web browser vulnerabilities, and endpoint vulnerabilities. To me, this can be interpreted as a continued shift toward more sophisticated exploits that take advantage of Java vulnerabilities and widespread Web-based applications that create entirely new highways of access to corporate data stores. Moving to newer runtime frameworks and upgrading enterprise applications takes a lot of communication and cooperation between security personnel and the teams responsible for application development and systems management.
How are you going to tackle these shifts in 2014?