Analysis of breach data by Tenable’s Security Response Team (SRT) has revealed that, from January through October 2020, there were 730 publicly disclosed events resulting in over 22 billion records exposed worldwide. Thirty five percent of breaches analyzed by Tenable were linked to ransomware attacks, resulting in tremendous financial cost, while 14% of breaches were the result of email compromises. One of the overarching themes of the threat landscape in 2020 was that threat actors relied on unpatched vulnerabilities in their attacks as well as chaining together multiple vulnerabilities as part of their attacks. This analysis has been published in Tenable’s 2020 Threat Landscape Retrospective (TLR) report which provides an overview of the key vulnerabilities disclosed or exploited in the 12 months ending December 31, 2020.
As organizations around the world prepare to face the new cybersecurity challenges looming in 2021, it’s crucial to pause and take a look back at the most critical vulnerabilities and risks from the past year. Understanding which enterprise systems are affected by the year’s vulnerabilities can help organizations understand which flaws represent the greatest risk.
From 2015 to 2020, the number of reported common vulnerabilities and exposures (CVEs) increased at an average annual percentage growth rate of 36.6%. In 2020, 18,358 CVEs were reported, representing a 6% increase over the 17,305 reported in 2019, and a 183% increase over the 6,487 disclosed in 2015. Prioritizing which vulnerabilities warrants attention is more challenging than ever. Two notable trends from the report are:
Pre-existing vulnerabilities in virtual private network (VPN) solutions — many of which were initially disclosed in 2019 Cr earlier — continue to remain a favorite target for cybercriminals and nation-state groups.
Web browsers like Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge are the primary target for zero-day vulnerabilities, accounting for over 35% of all zero-day vulnerabilities exploited in the wild.
Fixing unpatched vulnerabilities, implementing strong security controls for remote desktop protocol, ensuring endpoint security is up-to-date and regularly performing security awareness training are steps organizations can take to thwart some of these attacks.
“Every day, cybersecurity professionals in India and the rest of the world are faced with new challenges and vulnerabilities that can put their organisations at risk. The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface,” said Satnam Narang, Staff Research Engineer at Tenable. “A complex threat landscape, highly motivated threat actors and readily available exploit code translate into serious cyber attacks as reflected in this report. Many of the tactics used by bad actors are not sophisticated or didn’t require flexing too many mental muscles - making it more important than ever to patch vulnerabilities in a timely manner.”
“To adapt in a digital and distributed world, every industry sector and business model is reliant on technology. Hence, pausing for a retrospective provides cybersecurity professionals with an important opportunity to identify gaps and refine strategies to make their organisations more secure. In 2021, it’s essential that we have the tools, awareness and intelligence to effectively reduce risk and eliminate blind spots. It’s only through looking at where we’ve come from that we can effectively plan for what lies ahead,” he added.
Throughout the year, Tenable’s Security Response Team tracks and reports on vulnerabilities and security incidents, providing guidance to security professionals as they plan their response strategies. The team’s work gives them the opportunity to closely observe the ever-changing dynamics of the threat landscape.
Note to editor:
Report methodology — This report was compiled based on Tenable’s analysis of:
Events over the course of 2020
Information from advisories published by U.S. government agencies
Publicly available breach data from national and local news outlets, reporting on data breaches from January through October 2020.
You can find the full report available for download here, with key stats and 9 top takeaways summarised on pages 4-5. If you’re interested in more detail on the report findings, Satnam Narang is available for a chat.
Tenable Inc. is a Cyber Exposure company. With over 30,000 organizations including more than 50 percent of the Fortune 500, more than 30 percent of the Global 2000 and large government agencies, the Tenable platform caters to the breadth of visibility into cyber risk across IT, Cloud, IoT and OT environments and the depth of analytics to measure and communicate cyber risk in business terms to make better strategic decisions. Tenable has also extended its expertise in vulnerabilities by creating Nessus, to deliver the world’s first platform to see and secure any digital asset on any computing platform.