Hackers Exploit Only 5.5% of All Security Vulnerabilities, but That Is Not Good News

How do you deal with security vulnerabilities? Well, for individual users, things shouldn't be too hard. In fact, more often than not, all they need to do is enabled the automatic updates for their software applications and tools. This ensures that security patches are applied quickly and efficiently. When an organization's IT infrastructure is at stake, however, things are much more complicated.

Sysadmins have quite a few things to think about before they can apply a security patch. For example, we could be talking about hundreds of employees who might be forced to stop doing what they're doing in order to have the update installed. The potential downtime alone is a big enough problem, but it could be even worse.

In a corporate environment, the correct functioning of an entire system is often dependent on several separate components working together, and as a result, an update to one of those components could bring the whole infrastructure down. The upshot is, applying a single patch is a lot of hard work. Consider how many security holes are plugged every day, and you'll quickly see how big the problem is.

Prioritizing security patches – a major challenge

Installing every single security update to a corporate infrastructure is not really feasible in most cases and can sometimes cause more harm than good. Companies need to have a good strategy when it comes to applying patches. Dedicating more resources to filling the security holes that present the greater danger, and focusing less on the ones that are unlikely to cause too much harm is very important. But how can a sysadmin assess all the different vulnerabilities and decide which ones need to be patched immediately and which ones can wait?

Jay Jacobs from Cyentia Institute, Sasha Romanovsky from RAND Corporation, and Idris Adjerid and Wade Baker from Virginia Tech were asking themselves the same question. They teamed up with Kenna Security, a vulnerability and threat management company, they collected quite a lot of real-world data from multiple different sources, and they set about trying to discover which known security issues are most likely to be exploited in the wild. Their research was presented last week at the Workshop on the Economics of Information Security in Boston.

How cybercriminals pick vulnerabilities to exploit

The public disclosure of cybersecurity vulnerabilities, even after a patch has been released, often causes controversy. Some argue that not everyone will apply the fix and that hackers will know about it. Sometimes, along with information about the vulnerability, researchers also publish proof-of-concept code (PoC) that can actively exploit it which, many people say, makes the attackers' job even easier.

You can probably see the logic in that argument. In practice, however, things are a bit different. Only a half of all the vulnerabilities that were actively exploited in the wild had PoC code publicly available. With the rest, the hackers had to figure out a way of taking advantage of them on their own. In other words, as perplexing as it may sound, the presence of PoC code on a freely accessible website bears no relation to the likelihood of exploitation. Some of the researchers' other findings weren't quite so surprising.

In addition to a unique CVE code, each and every discovered security vulnerability gets its CVSS score. CVSS stands for Common Vulnerability Scoring System, and it's basically a way of telling how dangerous a particular security flaw could be. The experts found out that the higher the vulnerability's CVSS score, the more likely it is to get exploited.

But how popular is vulnerability exploitation anyway?

One in twenty vulnerabilities gets exploited in the wild

Vulnerability exploitation is just one of the attack vectors hackers use, and by the looks of things, it's not the most popular one. Just over 5% of the vulnerabilities the researchers examined had been actively taken advantage of in the wild. Although previous research has shown an even smaller number, the current whitepaper is based on a much bigger dataset, which means that the results should be more reliable.

5% doesn't sound like a whole lot, but when you take a look at the actual figures, you'll see that the problem is far from insignificant. Approximately 76 thousand vulnerabilities received CVE registrations between 2009 and 2018, meaning that the number of holes that were exploited in the real world sits at just under 4,200.

In other words, sysadmins the world over could end up in a lot of trouble if they ignore security patches. Unfortunately, although the CVSS score could act as an indicator, there is no algorithm that can reliably tell which vulnerabilities are more likely to be exploited, and in the end, it should all come down to the individual threat model. Sysadmins who have not put together their vulnerability management strategy yet should go on and start doing it as a matter of urgency.