Risk Based Security has released its 2021 vulnerability report which shows 2021 was a record-breaking year for vulnerability disclosures. 28,695 flaws were disclosed in 2021, which is a 23.3% increase from the 23,269 vulnerabilities disclosed in 2020.
The exploitation of unpatched vulnerabilities is a common way for cybercriminals to gain access to business networks, especially ransomware actors, so it is vital for businesses to patch vulnerabilities promptly. Staying on top of patching when so many vulnerabilities are being disclosed is a significant challenge. Risk Based Security strongly recommends prioritizing patching and focusing on the most serious vulnerabilities first, such as those known to have been actively exploited in the wild and any that are remotely exploitable and allow code execution.
Risk Based Security said 4,100 of the 28,695 vulnerabilities disclosed in 2021 could be exploited remotely, had an exploit in the public domain, and had a patch or mitigation that could prevent exploitation. Risk Based Security said prioritizing patching those vulnerabilities would reduce the risk of a cyberattack by 86%. The most important patches to prioritize are those listed in the Known Exploited Vulnerabilities Catalog published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Currently there are 368 vulnerabilities listed in the Catalog.
The increase in the number of reported vulnerabilities can be explained, in part, by the pandemic, which it is believed slowed down vulnerability disclosures in 2020. In the first half of 2021, when COVID-19 restrictions were still in place in many countries, the 2020 to 2021 comparison only differed by around 400 disclosed vulnerabilities but shot up to a difference of 3,500 in the second half of the year as COVID-19 restrictions started to be eased.
The two products with the highest number of vulnerabilities were Debian Linux (1,218) and openSUSE Leap (1,178), as was the case in 2020, albeit with the top two changing places. Next was Fedora (995) and Google Pixel/Nexus, which rose from 12th spot in 2020 to 5th in 2021 with 738 vulnerabilities, although the number of disclosed vulnerabilities was similar to 2020.
While the number of vulnerabilities increased, there is some good news. Risk Based Security said organizations are realizing that it is possible to proactively manage risk rather than react to it.
“The industry is starting to make big leaps in how it views vulnerability management. Firms like Gartner are catching on to the inefficiencies caused by reliance on vulnerability scanners, while government agencies like the Cybersecurity Infrastructure and Security Agency are pushing for organizations to focus their prioritization on metadata like exploitability, rather than severity,” concluded Risk Based Security. “As enterprises take the steps in assessing those possibilities, security teams will come to realize that it will all come down to the quality of data. To make informed risk-decisions, they will come to understand that comprehensive, actionable, and timely vulnerability intelligence will be critical, and that it won’t be found in the public source.”