52% of critical vulnerabilities we found were related to Windows 10

We analyzed 2.5 million vulnerabilities found in customer assets. This is what we found.

Dive into the data

The data set we analyze here represents a subset of customers who subscribe to our vulnerability scanning services. The assets scanned include assets accessible via the Internet and assets present on the internal network. This data includes findings from network devices, desktop computers, web servers, database servers, and even the odd document printer or scanning device.

This dataset contains fewer organizations than the previous dataset used in Security Navigator 2023 last year (down by 3), and some organizations have been replaced by newly added organizations. As the organization changes, so does the asset mix, which makes comparing previous results akin to comparing apples and oranges (we may be biased), but it’s still worth noting similar patterns if possible.

This year, we revisit the topic of threatening vulnerabilities, focusing on the ever-present and lingering unaddressed system vulnerabilities. The waves of newly discovered serious problems serve only to draw our attention to existing unsolved problems, and like a hydra, it keeps growing new heads as long as you send others around.

Assessing whether a system is adequately protected is a challenge that requires skill and expertise, and can take a significant amount of time. But we want to know about any weaknesses beforehand rather than have to deal with the consequences of an unplanned “free penetration test” by a random Cy-X team.

Vulnerability scan results by severity

Examining the share of severity ratings for each unique finding, we found that the majority of unique findings (79%) were classified as “high” or “medium.” However, it is also worth noting that half (50.4%) of the unique findings were considered “severe” or “high.”

Compared to our previously published results, the average number of “severe” or “high” results decreased by 52.17% and 43.83%, respectively. Survey results with severity ratings of “medium” and “low” also improved, falling by 29.92% and 28.76% respectively. Year-over-year comparisons are of limited value as this report uses a slightly different customer sample than last year, but we see evidence that customers are responding well to our report’s findings, leading to overall improvements.

The majority of findings rated “Severe” or “High” (78%) were 30 days or less (when looking at a 120-day window). Conversely, 18% of all findings rated “critical” or “high” were 150 days old or older. From a prioritization perspective, it appears that actual findings of “serious” or “high” can be dealt with quickly, but some residual issues still accumulate over time. As a result, we see pending findings getting older and older. In fact, about 35% of unique CVEs come from discoveries 120 days old or older.

The image above shows the long tail of unresolved real discoveries. Note that the first significant long-tail peak is around 660 days, and the second peak is at 1380 days (3 years and 10 months).

window of opportunity

The higher average number of Critical and High results is largely affected by assets running Microsoft Windows or Microsoft Windows Server operating systems. There are assets running operating systems other than Microsoft (such as Linux-based operating systems), but these assets are reported at a much smaller proportion.

However, we should note that a “Critical” or “High” result associated with an asset running Windows is not necessarily a vulnerability in the operating system, but may also be related to the application running on the asset.

It’s perhaps understandable that unsupported versions of Microsoft Windows and Windows Server feature prominently here, but it’s surprising to find that newer versions of these operating systems are rated “critical” or “high” in severity.

Industry perspective

We use NAICS for industry classification. The results here only consider results from host-based scans, not services such as web applications. The average unique actual discovery per unique asset across all organizations is 31.74, as shown by the horizontal dashed line in the chart below.

Our construction clients appear to be doing exceptionally well compared to clients in other industries, with an average of 12.12 results per asset. On the other hand, we have the mining, quarrying, and oil and gas industries, where we report an average of 76.25 unique discoveries per asset. What surprised us about clients in the public administration sector was that despite a higher number of assets, clients in the finance and insurance sector had an average of 35.3 results per asset, compared to 43.27. Of course, these values ​​are drawn from the customer base in our sample and may not represent general reality.

When comparing the average severity of each unique asset in each industry, we see a mixed picture. We can ignore health care, social assistance, and messaging because of their relatively small number of unique assets, which results in averages that are disproportionate to other industries.

The overall industry average for our severity ratings is 21.93, with mining, quarrying, and oil and gas extraction being more than twice that average.

Likewise, findings for each unique asset in Finance and Insurance and Accommodation and Food Services exceeded the overall average of 10.2 and 3.4 respectively. The “severe” survey results for these three industries exceeded the overall average, with accommodation and food servers scoring almost three times higher.

Vulnerability is obsolete

As we revisit the topic of threatening vulnerabilities this year, we once again view with skepticism the stories of ever-present and lingering unsolved system vulnerabilities that are only growing older. We evaluated more than 2.5 million vulnerability findings reported to customers and more than 1,500 reports from professional ethical hackers to understand the current state of security vulnerabilities and consider their role and effectiveness as a prioritization tool.

The majority of unique findings (79%) reported by our scanning team were classified as “high” or “moderate,” and 18% of all critical findings were 150 days old or older. Although these problems are usually dealt with faster than others, some residue can still build up over time. While most issues we find are resolved after 90 days, 35% of all issues we report persist for 120 days or longer. There are still too many issues that simply have not been resolved.

Our scan results reveal ongoing issues with unpatched vulnerabilities. At the same time, our team of ethical hackers are more frequently encountering newer applications and systems built on contemporary platforms, frameworks, and languages.

The role of an ethical hacker is to conduct penetration testing – simulating a malicious attacker and assessing systems, applications, devices and even people for vulnerabilities that could be used to gain or deny access to IT resources.

Penetration testing is often considered an integral part of vulnerability management, but can also be considered a form of threat intelligence that enterprises should use as part of a proactive defense strategy.

17.67% of our Ethical Hacking Report’s findings were rated “critical,” but more optimistically, today’s hackers have to work harder than in the past to spot these issues.

This is just an excerpt from the analysis.For more details on our analysis of vulnerability and penetration testing (as well as a host of other interesting research topics such as the VERIS classification of incidents handled in our CyberSOC, cyber extortion statistics and hacktivism analysis) please See Security Navigator. Just fill out the form to download. It’s worth it!

notes: This informative article was crafted and generously shared by Charl van der Walt, Head of Orange Cyberdefense Security Research Center.