Menu
Vulnerabilities on the decline, but risk assessment is often flawed, study says says

Vulnerabilities on the decline, but risk assessment is often flawed, study says says

The number of vulnerabilities could reach a three-year low in 2014, but correctly assessing their risk can be hard, IBM researchers said

Based on data gathered over the first six months of 2014, security researchers from IBM X-Force predict that the number of publicly reported vulnerabilities will drop to under 8,000 this year, a first since 2011.

While the majority of flaws disclosed so far fall into the medium-risk category, the IBM researchers said that the widely used system to rate their severity often fails to reflect the real risk they pose to users.

Over the first half of the year, the IBM X-Force team collected reports about 3,900 security vulnerabilities from advisories published by software vendors, security industry mailing lists and other sources. If vulnerability disclosures continue at the same rate, the number of flaws reported in 2014 will fall under 8,000, several hundred less than in each of the previous two years, the team said in a report released this week.

"It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014," the X-Force researchers said. "However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014)."

Security experts have argued in the past that overall number of vulnerabilities is not as relevant for as their impact. However, despite attempts to standardize methods of assessing the severity of vulnerabilities, like the Common Vulnerability Scoring System (CVSS), there are many cases where the true risk posed by certain flaws is not represented accurately.

"Many in the industry, including security analysts, corporate incident response teams and enterprise software consumers, have become dissatisfied with scoring inconsistencies that often occur across different organizations," the X-Force researchers said. "Sometimes the inconsistencies are the result of the subjectivity that can go into how an individual or organization scores vulnerabilities, but they can also result from some of the inherent flaws in the current CVSS standard and a lack of clear guidelines on how to objectively assess certain types of vulnerabilities."

One prime example is the Heartbleed flaw disclosed in the OpenSSL library in early April that can be exploited by attackers to extract sensitive information from the memory of Web servers. The vulnerability received a CVSS base score of 5.0 out of 10, which puts it into the medium-risk category.

"With the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate," the X-Force researchers said. "This also brings to question what other vulnerabilities fell into the medium-risk category (CVSS base score 4.0 to 6.9) that may have been disregarded by organizations, but that also had potential large-scale impacts similar to Heartbleed."

Sixty-seven percent of vulnerabilities disclosed during the first half of 2014 fell into the medium-risk level based on their assigned CVSS scores, according to the IBM report. This is similar to numbers seen in the previous two years.

In 2013, Carsten Eiram, the chief research officer at Risk Based Security, and Brian Martin from the Open Security Foundation, two researchers experienced in maintaining vulnerability databases wrote an open letter detailing CVSS shortcomings to the Forum for Incident Response and Security Teams (FIRST), the organization that maintains the standard.

"While CVSSv2 saw improvements over CVSSv1, the scheme is still not adequately supporting real life usage, as it suffers from being too theoretical in certain aspects," Eiram and Martin wrote in their letter. "Specific vulnerability types and vectors are not properly supported while others are not properly described, leading to subjective and inconsistent scoring, which CVSS was designed to prevent."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Forum for Incident Response and Security TeamspatchesOpen Security FoundationIBMsecurityRisk Based Securitypatch managementExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments