Skip to main content

Only a tiny percentage of security vulnerabilities are actually exploited in the wild

Cybersecurity
(Image credit: Altalex)

The threat to enterprises posed by security vulnerabilities may not be as great as it first appears, new research has revealed. 

According to US cyber risk firm Kenna Security has revealed that just a small number of the thousands of threats discovered each year are being actively exploited in the wild.

The company found that although 18,000 new CVE IDs were created in 2019, only 473 of these were exploited in a way that was likely to impact businesses. Although this number is still significant and should not be dismissed by cybersecurity teams, it brings greater insight into the true divide between attackers and defenders operating in the cybersecurity space.

“A mere 6% of those 473 vulnerabilities ever reached widespread exploitation by more than 1/100 organizations," Kenna Security's report read. “The fact that an exploit is ‘in the wild’ does not mean it’s a raging hog wild across the internet. There is no ‘typical’ vulnerability lifecycle. Only 16% of the CVEs we studied followed the most common sequence of Reserved-Patched-Scanned-Published-Exploited. Several key milestones tend to converge surrounding CVE publication.”

Install those patches

Kenna also revealed that within a day of publication, more than 50% of reported vulnerabilities have code available to enable exploits. Within a month of a CVE being published, around 75% have active exploits being shared. 

The findings highlight the importance of security patches, with more than 80% of CVEs gaining a patch as soon as the vulnerability is disclosed. Whether these relate to cloud apps, web browsers, or any other solution, these patches should be installed as a priority.

There has also been some disagreement over how CVEs are allocated recently. Although CVE IDs can only be issued by certain organizations, these have grown in number significantly over the last few years, now totaling more than 150 firms. Some of these only issue CVEs for their own products, but the growth in this field is likely to have contributed to the recent explosion in CVE numbers.

Overall, the findings should certainly not be used to downplay the threats present to businesses and individuals, but it does bring some much-needed perspective: through rapid patch installation, most threats can be mitigated.

Via The Register