According to Tenable, 14.4% of security breaches in 2020 were the result of email compromises and 18,358 new Common Vulnerabilities and Exposures (CVEs) were reported in 2020 - representing a 6% increase from 2019 and a 183% increase from 2015. And from 2015 to 2020, the number of reported CVEs increased at an annual percentage growth rate of 36.6%.
Tenable’s 2020 Threat Landscape Retrospective also found that:
- Over 35% of all zero-day flaws exploited were browser vulnerabilities in Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge.
- In 2020, 18 ransomware groups were operating leak websites that name and shame victims to secure ransom demands.
Tenable also lists key takeaways of its report as:
- Headline vulnerabilities shouldn’t always be the main focus. Not every critical vulnerability had a name and logo given to it and conversely not every vulnerability with a name and logo should be seen as critical.
- Remote working still raises concerns. The array of new solutions organisations implemented in 2020 to support remote working and distance learning raise concerns that can only be addressed through diligent patching and implementing the right security controls.
- Unpatched vulnerabilities in VPNs are still gold for cyber attackers. Pre-existing vulnerabilities in VPN solutions continue to be a favourite target for cybercriminals and nation-state groups.
And according to the Tenable report, the top 5 vulnerabilities of 2020 were:
- Zerologon (CVE-2020-14720)
- Citrix ADC/Gateway/SDWAN WAN-OP (CVE-2019-19871)
- Pulse Connect Secure SSL VPN (CVE-2019-11510)
- Fortinet Fortigate SSL VPN (CVE-2018-13379)
- F5 BIG-IP (CVE-2020-5902)
“Every day, cybersecurity professionals in Australia and the rest of the world are faced with new challenges and vulnerabilities that can put their organisations at risk,” says Satnam Narang, Staff Research Engineer at Tenable.
“The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface.
“A complex threat landscape, highly motivated threat actors and readily available exploit code translate into serious cyber attacks as reflected in this report. Many of the tactics used by bad actors are not sophisticated or didn’t require flexing too many mental muscles - making it more important than ever to patch vulnerabilities in a timely manner."
Narang says that to adapt in a digital and distributed world, “every industry sector and business model is reliant on technology. Hence, pausing for a retrospective provides cybersecurity professionals with an important opportunity to identify gaps and refine strategies to make their organisations more secure”.
“In 2021, it’s essential that we have the tools, awareness and intelligence to effectively reduce risk and eliminate blind spots. It’s only through looking at where we’ve come from that we can effectively plan for what lies ahead.”