Edgescan vulnerability stats report 2019 - h-isac-2-2-2019

2018 Application Security – “State of the Nation”
A Preview of the edgescan Vulnerability Stats Report

Who am I ?
Effective, Scalable #Fullstack Vulnerability Management 2
Eoin Keary
@eoinkeary
CEO/Founder edgescan.com & BCC Risk Advisory
OWASP Leader/Member/Ireland Founder
OWASP Global Board Member (2009-2015)

Source of Stats
Vulnerability
Discovery
Vulnerability
Validation
Alerting and
Event
notification
Continuous
Asset Profiling
Metrics and
Risk
Measurement
API
integration
Bespoke
Development Metrics and Measurement
Metrics to assist with measurement of
improvement, Risk management efficiency,
identification of areas and processes which
give rise to risk. Highlight areas which may give
rise to risk and focus on technologies and
development areas which require attention.
Continuous Asset Profiling
Constant interrogation of entire CIDR ranges or
individual IP’s/endpoints to assist with system
discovery, attack surface identification and
system visibility. Integration with alerting and
event features to provide situational
awareness on a continuous basis.
Vulnerability Validation
Based on delta analysis and correlation
technology newly discovered and
vulnerabilities are validated by experts.
Fales positives and items which don’t pose
any risk are supressed and archived
automatically.
Vulnerability Discovery
Continuous Assessment of systems across the
full stack dedicated to the discovery of
vulnerabilities. Vulnerability discovery
leveraging multiple engines and toolchains to
deliver extensive coverage. Both internal and
external systems can be covered. Assessment
on-demand and control via the edgescan
portal and API.
Alerting and Event notification
Situational awareness delivered via
API/Webhook, ticketing integration, Slack
integration, email or any other preferred
method.
Custom alerting and event notification to
inform and trigger downstream systems,
generate tickets.
API integration
Integration of vulnerability intel generated by
the edgescan SaaS to other systems such as
Governance Risk and Compliance (GRC),
Ticketing, Bug Tracking and SIEM systems.
Custom report generation and data
consumption via the edgescan API.
Bespoke Development
Leveraging our development team, custom
and bespoke integration solutions can be
developed to assist with strong integration and
end-to-end vulnerability lifecycle management

How we get the Stats?
• 1000’s of web applications, API’s, IP’s, endpoints and
infrastructure assessed every month.
• All Vulnerabilities are validated and risk rated to maintain
accuracy of statistical model.
• Continuous asset Profiling to detect exposed systems, open
ports and change over time.
• 2019 Stats report includes both public Internet facing and
internal network systems and applications.
• Stats based on a cross section of industries from finance to
government, from Gaming to media, from Pharma to medical
research….
• 4th year of the Stats report….

Key “Take Away’s” from the 2018 data
• Continuous Visibility is key to a robust posture
• CVE/CWE Detection
• Exposed Admin Detection
• Exposed Ports alerting
• Misconfigurations
• Majority of risk is still in the application layer
• Secure Application development and continuous assessment to keep
pace with development is important
• Majority of risk is still in the application layer
• Secure Application development and continuous assessment to keep
pace with development is important
• Zero-Days are Hollywood FUD, The most common CVE’s are years old.
• Plenty of needlessly exposed services and systems which give rise to
breach and critical risks

Vulnerability Dispersion and Risk Density
In 2018 we discovered that on average,
19% of all vulnerabilities discovered were
associated with web applications, API’s etc and;
81% were network vulnerabilities.
Public Internet: Application Layer:
19.2% of all vulnerabilities discovered are High or
Critical Risk.
Public Internet: Network/Infrastructure:
2% of all vulnerabilities discovered are High or
Critical Risk
Application Risk Density is significantly higher –
10 times more High/Critical Risks than
Infrastructure
19%
2%
0%
5%
10%
15%
20%
Application Layer Infrastructure Layer
Critical or High Risk
81%
19%
Vulnerability Dispersion
Infrastructure Layer Application Layer

Vulnerability Density Internal Vs Internet
Infrastructure Security External:
2% of all vulnerabilities discovered were High or
Critical Risk
10.2% of all vulnerabilities were Medium Risk
Web/Application Security External:
19.2% of all vulnerabilities discovered were High
or Critical Risk
19.4% of all vulnerabilities discovered were
Medium Risk.
Infrastructure Security Internal:
or Critical Risk
22% of all vulnerabilities discovered were
Medium Risk
Web/Application Security Internal :
or Critical Risk
22.5% of all vulnerabilities discovered were
Medium Risk
4.2%
2.0%
24.9%
19.2%
0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0%
INFRASTRUCTURE INTERNAL
INFRASTRUCTURE EXTERNAL
WEB APP INTERNAL
WEB APP EXTERNAL
Infrastructure
Internal
Infrastructure
External
Web App Internal Web App External
Critical or High Risk 4.2% 2.0% 24.9% 19.2%
Critical or High Risk

Vulnerability Density Internal Vs Internet
The high risk density score of 24.3% for internal facing applications is worrisome.
• “insider threat” is a significant issue?
• Malware and Ransomware
High and Critical Risk Density in the Internet Facing (external) Infrastructure:
• Relatively low at 2%
High and Critical Risk Density in Internal infrastructure is at 4.2%
The percentage of High and Critical risks combined, compared to all discovered
risks:
• 19.2% for public Internet facing (external) applications; and
• 24.9% for non-public or internal applications.
This compares to a risk density of 20.7% for Internet facing systems last year
(2018), roughly similar.

Most common Web (Layer 7) Vulnerabilities
Vulnerability type & Description % of all
vulnerabilities
discovered
Cross Site Scripting/Browser Sink Attacks 14.69%
HTML Injection, Stored and reflected Cross-Site Scripting. Template Injection.
Generally due to a lack of / poor contextual output encoding.
Vulnerable Components 12.36%
Unpatched, unmanaged, known CVE (vulnerability). Misconfigured components
and insecure defaults.
Source code disclosure 5.72%
Backend source code disclosure due to error or poor application design.
Sensitive Information Disclosure 3.60%
Sensitive business information, PII, Credentials etc
SQL injection (& LDAP injection) 5.55%
Database attack via vulnerable web application
Weak Authentication 9.25%
Weak passwords, Enumeration/Leakage, Error related issues.
Other Injection (OS, CRLF, HTTP, XXE) 8.18%
Injection attacks, Operating system, Backend injection. Pivoting attacks,
Command Shell and stepping stone attacks to assist in total compromise of
hosting environment and associated network.
Vulnerable components were significant in 2019 at
12.36%, which begs to question the extent to which
organisations are managing software component
inventory and bill of materials.
SQL Injection was also significant in 2018 at 5.55% in
terms of how devastating the attack can be and how
easily it can be used to exploit entire systems.

Most common Infrastructure Vulnerabilities in 2018
Vulnerability type & Description % of Total
discovered
TLS & SSL Version & Configuration Issues 44.70%
SMB Security Issues
SMB authentication, vulnerabilities etc.
29.53%
Windows Remote Desktop Protocol Server Man-in-the-Middle 6.25%
OpenSSH Multiple Vulnerabilities and Configuration Issues 8.61%
Unencrypted Telnet Services
Insecure and unencrypted protocol for data trransfer.
4.15%
Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure
an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used
with RSA encryption.
1.78%
Unsupported & unpatched Server Detection
Unpatched, unsupported servers both *nix and Windows. 1000's of CVE's recorded against them as a
result.
1.69%
Firewall UDP Packet Source Port 53 Ruleset Bypass
Bypass of firewall rules by sending UDP packets with a source port equal to 53 E,g, CVE-2003-1491
CVE-2004-1473
1.29%
SNMP Agent Default Community Name (public)
An attacker may be able to use information to gain more knowledge about the remote system or
change the configuration settings (if the default community allow such modifications).E.g. CVE-1999-
0517
0.82%
Microsoft Windows SMB NULL Session Authentication
A server with Microsoft Windows where is it possible to log into it using a NULL session E<g, No
login ID or password requred. CVE-1999-0519, CVE-1999-0520,CVE-2002-1117
1.18%
As per previous years, TLS, SSL issues
top the most common list at 44.7%
SMB security issues are also
significant and are related to various
mass malware attacks in 2018 –
Eternalblue/Wannacry/NotPetya
RDP (Remote Desktop)
vulnerabilities were also relatively
common and are a popular target
for attackers according to 2018
threat intel and media reports.

Most Common CVE’s (Excluding SSL Related Issues) -
External
Name % of total
discovered
CVSS 2.0
score
CVE’s
Microsoft Windows Server 2003 Unsupported system 33.33% 10CVE-2005-0416,CVE-2005-3483,CVE-2006-2373,CVE-2006-2374,CVE-2007-0038,CVE-2007-1765,CVE-2008-0015,CVE-2008-
0020,CVE-2009-1923,CVE-2009-1924,CVE-2009-3675,CVE-2010-0020,CVE-2010-0021,CVE-2010-0022,CVE-2010-0231,CVE-
2010-1886,CVE-2015-1768,CVE-2015-1768…
MS14-066: Vulnerability in Schannel - Remote Code
Execution
7.53% 10CVE-2014-6321
MS15-034: Vulnerability in HTTP.sys - Remote Code
Execution
7.53% 10CVE-2015-1635
MS17-010: Security Update for Microsoft Windows SMB
Server ETERNALBLUE WannaCry Petya
7.53% 9.3CVE-2017-0143,CVE-2017-0144,CVE-2017-0145,CVE-2017-0146,CVE-2017-0147,CVE-2017-0148
Microsoft Windows SMBv1 Various Vulnerabilities 6.45% 9.3CVE-2017-0267,CVE-2017-0268,CVE-2017-0269,CVE-2017-0270,CVE-2017-0271,CVE-2017-0272,CVE-2017-0273,CVE-2017-
0274,CVE-2017-0275,CVE-2017-0276,CVE-2017-0277,CVE-2017-0278,CVE-2017-0279,CVE-2017-0280
PHP 5.6.x < 5.6.33 Various Vulnerabilities 6.45% 10CVE-2014-9425,CVE-2014-9709,CVE-2015-1351,CVE-2015-1352,CVE-2015-8383,CVE-2015-8386,CVE-2015-8387,CVE-2015-
2016-10160,CVE-2016-10161,CVE-2016-3141,CVE-2016-3142,CVE-2016-4070,CVE-2016-4071,CVE-2016-4072,CVE-2016-
2018-5711,CVE-2018-5712
Apache Traffic Server 4.x < 4.2.1.1 / 5.x < 5.0.1 Synthetic
Health Check Vulnerability
4.30% 10CVE-2014-3525
Dropbear SSH Server < 2016.72 Various Vulnerabilities 3.23% 10CVE-2016-7406,CVE-2016-7407,CVE-2016-7408,CVE-2016-7409
HP Data Protector - Command Execution 3.23% 10CVE-2011-0923
MS12-020: Vulnerabilities in RDP - Remote Code Execution 3.23% 9.3CVE-2012-0002,CVE-2012-0152
Other 17.20%

External
Key points:
• 7.5% of all high and critical risk vulnerabilities discovered in 2018
related to exposure to NotPetya CVE’s (CVE-2017-0144, CVE-2017-
0145) - Windows SMB Remote Code Execution Vulnerability.
• 33.33% of all high and critical risk vulnerabilities discovered in 2018
were in relation to unsupported Windows Server 2003 systems. (no
patching, support, expired systems).
• Systems running PHP and Apache also contributed to the Top 10 due
to weak component security (Patching of runtime) and traditional
patch management of exposed systems.

Internal
Name
% of total
discovered
CVSS 2.0
score
CVE’s
Microsoft Windows SMBv1 Vulnerabilities 11.40% 9.3 CVE-2017-0267,CVE-2017-0268,CVE-2017-0269,CVE-2017-0270,CVE-2017-0271,CVE-2017-
0272,CVE-2017-0273,CVE-2017-0274,CVE-2017-0275,CVE-2017-0276,CVE-2017-0277,CVE-
2017-0278,CVE-2017-0279,CVE-2017-0280
MS12-020: Vulnerabilities in Remote Desktop -
RCE
10.30% 9.3 CVE-2012-0002,CVE-2012-0152
HP System Management Homepage < 6.3
Various Vulnerabilities
9.36% 10 CVE-2010-1917,CVE-2010-2531,CVE-2010-2939,CVE-2010-2950,CVE-2010-3709,CVE-2010-
4008,CVE-2010-4156,CVE-2011-1540,CVE-2011-1541
Microsoft Windows Server 2003 Unsupported
Installation Detection
1765,CVE-2008-0015,CVE-2008-0020,CVE-2009-1923,CVE-2009-1924,CVE-2009-3675,CVE-
2010-0020,CVE-2010-0021,CVE-2010-0022,CVE-2010-0231,CVE-2010-1886,CVE-2015-
1768,CVE-2015-1768
HP Data Protector - Command Execution 5.84% 10 CVE-2011-0923
MS17-010: Security Update for Microsoft SMB
Server - ETERNALBLUE, WannaCry,
EternalRocks, Petya
0148
MS14-066: Vulnerability in Schannel - RCE 4.90% 10 CVE-2014-6321
HP Data Protector Remote Command Execution 4.74% 10 CVE-2011-0923
HP System Management Homepage < 7.6.1
Various Vulnerabilities (HPSBMU03753)
2.48% 7.8 CVE-2016-8743,CVE-2017-12544,CVE-2017-12545,CVE-2017-12546,CVE-2017-12547,CVE-
2017-12548,CVE-2017-12549,CVE-2017-12550,CVE-2017-12551,CVE-2017-12552,CVE-2017-
12553
MS15-011: Vulnerability in Group Policy -RCE
(3000483)
1.98% 8.3 CVE-2015-0008
Other 35.20%

Internal
Key points:
5.23% of all discovered high and critical vulnerabilities discovered
related to exposure to NotPetya, Wannacry, Eternalblue CVE’s
Internal security has always been considered the “Soft underbelly” in
network security. Given the spate of Ransomware and Malware attacks
which occurred in 2018, the successful release of such malware would
cause significant hard due to unpatched and poorly managed non Internet
facing systems.
8.76% of all discovered high and critical risk vulnerabilities related to
unpatched windows 2003 systems which have a significant list of known
vulnerabilities .
Patch, Patch, Patch

Curious Open Ports and Exposed Services
Protocol Service Name/Description % of all discovered
open ports
tcp SSH 7.7868%
tcp RDP 3.0596%
udp SNMP 2.6502%
tcp redis 2.0100%
tcp Microsoft RPC 1.9132%
tcp SMB 1.8983%
tcp SMTP 1.8760%
tcp NetBIOS Session Service 1.7569%
udp isakmp 1.7122%
udp ntp 1.5856%
tcp FTP 0.9529%
tcp DNS Firewall Port 0.7221%
tcp Exposed Database 0.3059%
tcp Telnet 0.2394%
tcp Post Office Protocol 3 over TLS/SSL (POP3S) 0.1951%
tcp Internet Message Access Protocol (IMAP) 0.1906%
tcp Internet Message Access Protocol over SSL (IMAPS) 0.1862%
tcp Post Office Protocol (POP3) 0.1818%
tcp DHCP Server 0.1773%
tcp VNC 0.1507%
Total of all Ports discovered 29.55%
The most common exposed ports, which
possibly shouldn’t be!! Based on a sample
of 250,000 public Internet facing assets
under continuous profiling in the past 12
months to December 2018.
This includes 0.3% (750) exposed
databases
This includes 3.05% (7,625) exposed RDP
(Remote Login Services).
This includes 2.65% (6,500) exposed Redis
services (Redis is an open source (BSD
licensed), in-memory data structure
store).

MTTR – Time to Fix
The average window of exposure for critical web application
vulnerabilities is 69 days.
The average window of exposure for critical infrastructure
vulnerabilities is 65 days.
65 64
78
120
0
20
40
60
80
100
120
140
Critical Risk High Risk Medium Risk Low/Info
Days
Risk
MTTR Infrastructure
69
83
74
84
0
20
40
60
80
100
Critical Risk High Risk Medium Risk Low/Info
Days
Risk
Web Application MTTR

CVE Landscape
Oldest CVE discovered in 2018 is CVE-1999-0017
FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client, aka
FTP bounce.
CVSS v2: 7.5
Most common CVE discovered in 2018 is CVE-2015-2808
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data
with key data during the initialization phase, which makes it easier for remote attackers to conduct
plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally
relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB
values, aka the "Bar Mitzvah" issue.
CVSS v2: 4.3
81.58% of systems had at least one CVE
72.11% of systems had more than one CVE
Interestingly, 20.57% of systems had more than 10 CVEs

CVE Landscape
External CVE as a % of all discovered
Year % of CVE
1999 0.48%
2000 0.03%
2001 0.20%
2002 0.71%
2003 0.38%
2004 5.35%
2005 3.12%
2006 0.62%
2007 3.36%
2008 4.65%
2009 0.40%
2010 2.64%
2011 16.81%
2012 9.94%
2013 9.63%
2014 9.41%
2015 22.67%
2016 4.59%
2017 4.45%
2018 0.55%
Internal CVE as a % of all discovered
Year % of CVE
1999 4.35%
2000 2.90%
2001 2.90%
2002 2.90%
2003 0.00%
2004 1.45%
2005 21.74%
2006 8.70%
2007 1.45%
2008 5.80%
2009 1.45%
2010 4.35%
2011 7.25%
2012 7.25%
2013 8.70%
2014 23.19%
2015 26.09%
2016 7.25%
2017 7.25%
2018 0.00%
0.00%
10.00%
20.00%
30.00%
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
External Landscape
CVE's discovered by Age
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
Internal Landscape
CVE’s discovered by Age

PCI DSS Compliance
PCI DSS standard defines a vulnerability with a base CVSS 2.0 score more or equal to 4.0 as a compliance Fail.
Common Vulnerability Scoring System (CVSS), http://www.first.org/cvss/, base score, as indicated in the
National Vulnerability Database (NVD), http://nvd.nist.gov/cvss.cfm (where available)
https://www.pcisecuritystandards.org/documents/ASV_Qualification_Requirements_v3.0.pdf
Fullstack View:
68% of all vulnerabilities discovered in 2018 had a score equal to or higher than 4.0
– PCI DSS Fail
Network View:
57% of all network layer vulnerabilities discovered in 2018 had a score equal to or higher than 4.0
– PCI DSS Fail
Web Application View:
22% of all web application vulnerabilities discovered in 2018 had a score equal to or higher than 4.0
– PCI DSS Fail

That’s a wrap
System visibility is vitally important to maintaining compliance and cyber security
CVE’s / Known vulnerabilities are still going unpatched
Web application security is still the major area or risk introduction
System maintenance is still a challenge. Bill of materials needs to be maintained.
Is security keeping pace with System development?

Any Questions?
Eoin Keary
@eoinkeary
eoin@edgescan.com

Edgescan vulnerability stats report 2019 - h-isac-2-2-2019

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Edgescan vulnerability stats report 2019 - h-isac-2-2-2019

Similaire à Edgescan vulnerability stats report 2019 - h-isac-2-2-2019 (20)

Plus de Eoin Keary

Plus de Eoin Keary (20)

Dernier

Dernier (20)

Edgescan vulnerability stats report 2019 - h-isac-2-2-2019