Wednesday, November 15, 2017

No-Shock: Worst Year For Vulnerabilities Already – Only Through Q3 2017

2017 has officially become the worst year on record with over 16,006 disclosed vulnerabilities.

RICHMOND, VA, November 14, 2017 -- Risk Based Security today announced the release of its Q3 2017 VulnDB QuickView report that shows there have been 16,006 vulnerabilities disclosed through September 30th this year. This is the highest number of disclosed vulnerabilities at the end of the third quarter on record and represents a 38% increase over the same period in 2016. In addition, cataloged vulnerabilities in the first nine months of 2017 have exceeded the total vulnerabilities for all of 2016 (15,832). The 16,006 vulnerabilities cataloged by Risk Based Security’s VulnDB research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by 6,295.

“When hearing that so many vulnerabilities are missing from CVE/NVD, most security professionals want to justify the gap by trying to convince themselves that the vulnerabilities missed can’t possibly impact their organization and if they do they must be low risk. However, just as our previous reports have indicated this isn’t the case. 44.1% – over 2,700 – of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10, which include widely deployed software used by many organizations. Any security product or tool that relies on CVE/NVD is putting your organization at serious risk.” said Jake Kouns, Chief Information Security Officer for Risk Based Security.

“As Equifax dominated the data breach headlines, it was revealed that due to a series of delays they were unable to patch the exploited flaw, now commonly known as Struts-Shock, in a timely fashion. What the media missed is that there have been a total of 75 vulnerabilities in Apache Struts, and 5 new vulnerabilities since Struts-Shock was disclosed. It makes you wonder if there were any other delays in correcting those issues as well, and if Equifax has additional unpatched vulnerabilities”, added Kouns.

The newly released 2017 Q3 2017 report from Risk Based Security shows that 39.9% of total reported vulnerabilities received CVSSv2 scores above 7.0. This means that not only is the number of vulnerabilities on the rise, but the severity of the vulnerabilities disclosed remains high. What is more concerning for organizations is that 31.6% of the vulnerabilities disclosed have public exploits available and 47.9% can be exploited remotely.

The VulnDB QuickView report also highlights the relationships between researchers and vendors, showing that they are continuing to work together. Vulnerabilities disclosed in a coordinated fashion continues to be around 43%, on par from the mid-year report. In addition, 6.1% of the vulnerabilities disclosed in software products were coordinated through vendor and third-party bug bounty programs.

“While our proprietary Vulnerability, Timeline, and Exposure Metrics (VTEM) show that not all vendors are prioritizing and fixing vulnerabilities as quickly as we would prefer, the good news is that 75.8% of 2017 vulnerabilities through September do have a documented solution”, says Kouns.

Tuesday, November 14, 2017

Top 5 Predictions for ICS Security in 2018

Nozomi Networks has comprised the top 5 predictions for ICS Security in 2018.

1. ICS malware moves beyond Windows exploits to ICS-specific malware. Up to now, most malware that has infected ICS have used Windows vulnerabilities or protocols to infect and spread. For example, in 2017, WannaCry, Industroyer and Dragonfly 2 all used the Windows protocol, SMB, as a key infection and proliferation mechanism. Malware attacks using OT device software, such as PLC software, will start to occur adding to the sea of Windows-dependent attacks.

2.The cuffs will come off of Internet connectivity for ICS systems as IT technology is increasingly integrated with ICS systems to achieve operational efficiencies.  Progressive companies will implement new technologies and procedures necessary to not only bridge IT and OT, but also to defend their ICS from this source of cyber threats.

3. Artificial intelligence becomes more mainstream for ICS systems to provide next generation security to fight cyber threats. Organizations grappling with ICS cybersecurity staffing and skills shortages are turning to AI solutions to achieve security and productivity goals. AI powered monitoring tools are now able to discover breaches automatically and provide information on remediation.

4. The shortage of ICS cybersecurity skills will open the door for vendors to provide full security services. These services will move beyond risk assessments to become more full service.

5. Security-by-Design will start to improve ICS Security.  Major companies will increase their demands that security be included in new automation equipment purchases; for example, requiring that RTUs have encrypted software. Cybersecurity certification will also rapidly grow and major automation vendors will have their products tested for the ISA Secure certification.

For more, see these books:

Cyber Security for Industrial Control Systems: From the Viewpoint of Close-Loop

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS