Although the number of security vulnerabilities reported in the first half of 2019 have dropped a bit from last year, a new report by Risk Based Security states that 34 percent of the 11,092 vulnerabilities identified have not been patched to date.
The key findings of the report include the following:
- Web-related vulnerabilities accounted for 54.5 percent of those vulnerabilities.
- 34 percent have public exploits.
- 34 percent do not have a documented solution.
- 53 percent can be exploited remotely.
- 8 percent were classified as SCADA vulnerabilities.
- 5 percent were classified as impacting security software.
- 7 percent received CVSSv2 scores of 9.0+.
- Five major vendors accounted for 24.1 percent of 2019 vulnerabilities so far.
The report also notes that remote vulnerabilities, those that happen over a network by an attacker that did not previously have access to a system accounts for the highest vulnerability experienced by companies in the first half of 2019. This is done through an SQL injection attack and according to Risk Based Security, the way to combat it is through sanitizing input. Another recommendation in the report is to use a vulnerability scanning tool that can look at the entire network and all devices connected to it since many organizations are unaware of all of the devices connected to the network. If a company is scanning and patching, more than one half of the reported vulnerabilities in the first half of this year could have been resolved.