52% of the serious vulnerabilities we find are related to Windows 10

52% of the serious vulnerabilities we find are related to Windows 10

We analyzed 2.5 million vulnerabilities we discovered in our customers’ assets. Here’s what we found.

Dig into the data

The dataset we analyze here is representative of a subset of customers who subscribe to our vulnerability scanning services. The scanned assets include those that are accessible via the Internet, but also those that are present on internal networks. The data includes findings for network equipment, desktops, web servers, database servers, and even a single document printer or scanning device.

The number of organizations in this dataset is smaller (3 fewer) than the previous dataset used in last year’s Security Navigator 2023 and some organizations have been replaced by new additions. With organizational change comes a different mix of resources, making comparing past results akin to comparing apples and oranges (we may be biased), but it’s still worth trying to find comparables where possible notice patterns.

This year we revisit the looming vulnerability theme, with an eye on the ever-present and lingering tail of unresolved system weaknesses. The waves of newly discovered serious problems are just for our attention, along with existing unresolved problems, and are like a hydra that keeps growing new wriggly heads whenever you send others to it.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise and can be time-consuming. But we want to be aware of any weaknesses in advance, rather than having to deal with the consequences of an unplanned ‘free pentest’ by some random Cy-X group.

Security Navigator 2024 is here – download now#

The newly released Security Navigator 2024 provides critical insights into today’s digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide for navigating a more secure digital landscape.

What’s in it?#

  • 📈 In-depth analysis: Discover trends, attack patterns and predictions. Learn from case studies in CyberSOC and Pentesting.
  • 🔮 Ready for the future: Equip yourself with our safety forecasts and research summary.
  • 👁️ Real-time data: From Dark Net surveillance to industry-specific statistics.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get your copy now

Vulnerability scan findings for severity

When we examine the severity rate per unique Finding, we see that the majority of unique Findings, 79%, are classified as ‘High’ or ‘Medium’. However, it is also worth noting that half, 50.4%, of the unique findings are considered ‘critical’ or ‘high’.

1705926036 47 52 of the serious vulnerabilities we find are related to

The average number of ‘critical’ or ‘high’ findings decreased by 52.17% and 43.83% respectively compared to our previously published results. An improvement can also be seen for the findings, with the ‘Medium’ and ‘Low’ severity ratings decreasing by 29.92% and 28.76%. Because this report uses a slightly different sample of customers than last year, year-over-year comparisons have limited value, but we do see evidence that customers are responding well to the findings we report, resulting in overall improvement.

1705926037 490 52 of the serious vulnerabilities we find are related to

The majority of findings (78%) rated ‘critical’ or ‘high’ are 30 days or less (when considering a 120-day period). Conversely, 18% of all findings rated ‘Critical’ or ‘High’ are 150 days or older. From a prioritization perspective, “critical” or “high” real findings appear to be handled quickly, but there is still residual over time. We therefore see that unresolved findings are becoming older. ~35% of all unique CVEs come from findings 120 days or older.

1705926037 678 52 of the serious vulnerabilities we find are related to

The graph above shows the long tail of unresolved real findings. Note the first notable long tail peak around 660 days and the second at 1380 days (3 years and 10 months).

A window of opportunity

1705926037 768 52 of the serious vulnerabilities we find are related to

The high average numbers of ‘Critical’ and ‘High’ findings are largely influenced by assets running Microsoft Windows or Microsoft Windows Server operating systems. Assets running non-Microsoft operating systems, such as Linux-based operating systems, are present, but are proportionately less reported.

However, we should note that the “critical” or “high” findings associated with assets running Windows are not necessarily vulnerabilities in the operating system, but could also be associated with applications running on the asset.

It may be understandable that unsupported Microsoft Windows and Windows Server versions are prominently featured here, but it is surprising to find more recent versions of these operating systems with a severity rated as ‘Critical’ or ‘High’.

Industry perspective

We use NAICS for our industry classification. The results here only take into account findings based on scans of hosts and not on services such as web applications. The average unique real discovery per unique asset is 31.74 for all organizations, indicated by the horizontal dotted line in the graph below.

1705926038 114 52 of the serious vulnerabilities we find are related to

Our clients in the construction sector appear to be performing exceptionally well compared to clients in other sectors, with an average of 12.12 findings per asset. At the other end of the spectrum we have the mining, quarrying and oil and gas industries, where we report an average of 76.25 unique findings per asset. Public administration clients surprised us by outperforming the finance and insurance sectors with an average of 35.3 findings per asset, compared to 43.27, despite the higher number of assets. These values ​​are obviously derived from the group of customers present in our sample and may not represent universal reality.

1705926038 610 52 of the serious vulnerabilities we find are related to

When we compare the average severity per unique asset per sector, we see a mixed picture. We can ignore healthcare, social assistance and information services, which have a relatively small number of unique assets, resulting in averages that are disproportionate to other industries.

Our overall industry average for High severity is 21.93 and mining, mineral extraction and oil and gas extraction have more than double that average.

Similarly, the financial and insurance sectors with accommodation and food services also exceeded the overall average with 10.2 and 3.4 findings per unique asset respectively. The same three industries exceeded the overall average for findings rated as critical, with accommodation and food servers doing so by almost a factor of 3.

1705926038 414 52 of the serious vulnerabilities we find are related to

Vulnerability gets old

As we revisit the looming theme of vulnerability this year, we once again look with suspicion at the ever-present and lingering story of unresolved system weaknesses that are only growing older. We reviewed more than 2.5 million vulnerability findings reported to our customers and more than 1,500 reports from our professional ethical hackers to understand the current state of security vulnerabilities and their role and effectiveness as a tool for prioritization into consideration.

The majority of unique findings reported by our scanning teams (79%) are classified as ‘High’ or ‘Moderate’, and 18% of all serious findings are 150 days or older. While these are generally addressed more quickly than others, some residues still accumulate over time. While most findings we identify resolve after 90 days, 35% of all findings we report persist for 120 days or longer. And far too many are never addressed at all.

Our scan results highlight the persistent problem of unpatched vulnerabilities. Meanwhile, our Ethical Hacking teams are increasingly encountering newer applications and systems built on contemporary platforms, frameworks and languages.

The role of the ethical hacker is to perform penetration testing – emulating a malicious attacker and assessing a system, application, device or even people for vulnerabilities that can be used to gain access or deny access to IT resources .

Penetration testing is generally considered part of Vulnerability Management, but can also be seen as a form of Threat Intelligence that companies should use as part of their proactive defense strategy.

17.67% of the findings reported by our ethical hackers were rated as ‘serious’, but more accurately, hackers today have to work harder to discover them than in the past.

This is just an excerpt from the analysis. More details about our Vulnerability Analysis and Pentesting (as well as a lot of other interesting research topics such as VERIS categorization of the incidents handled in our CyberSOCs, Cyber ​​Extortion metrics and an analysis of Hacktivism) can be found in the Security navigator. Just fill out the form and receive your download. It’s worth it!

Remark: This informative piece has been expertly compiled and generously shared by Charl van der Walt, Head of the Security Research Center, Orange Cyberdefense.

#vulnerabilities #find #related #Windows

Notify of
Inline Feedbacks
View all comments
Previous Post
RokRAT Backdoor

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

Next Post
NS-STEALER uses Discord Bots to exfiltrate your secrets from popular browsers

NS-STEALER uses Discord Bots to exfiltrate your secrets from popular browsers

Related Posts