Vulnerabilities on the decline, but risk assessment is often flawed, study says says

The number of vulnerabilities could reach a three-year low in 2014, but correctly assessing their risk can be hard, IBM researchers said

Based on data gathered over the first six months of 2014, security researchers from IBM X-Force predict that the number of publicly reported vulnerabilities will drop to under 8,000 this year, a first since 2011.

While the majority of flaws disclosed so far fall into the medium-risk category, the IBM researchers said that the widely used system to rate their severity often fails to reflect the real risk they pose to users.

Over the first half of the year, the IBM X-Force team collected reports about 3,900 security vulnerabilities from advisories published by software vendors, security industry mailing lists and other sources. If vulnerability disclosures continue at the same rate, the number of flaws reported in 2014 will fall under 8,000, several hundred less than in each of the previous two years, the team said in a report released this week.

"It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014," the X-Force researchers said. "However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014)."

Security experts have argued in the past that overall number of vulnerabilities is not as relevant for as their impact. However, despite attempts to standardize methods of assessing the severity of vulnerabilities, like the Common Vulnerability Scoring System (CVSS), there are many cases where the true risk posed by certain flaws is not represented accurately.

"Many in the industry, including security analysts, corporate incident response teams and enterprise software consumers, have become dissatisfied with scoring inconsistencies that often occur across different organizations," the X-Force researchers said. "Sometimes the inconsistencies are the result of the subjectivity that can go into how an individual or organization scores vulnerabilities, but they can also result from some of the inherent flaws in the current CVSS standard and a lack of clear guidelines on how to objectively assess certain types of vulnerabilities."

One prime example is the Heartbleed flaw disclosed in the OpenSSL library in early April that can be exploited by attackers to extract sensitive information from the memory of Web servers. The vulnerability received a CVSS base score of 5.0 out of 10, which puts it into the medium-risk category.

"With the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate," the X-Force researchers said. "This also brings to question what other vulnerabilities fell into the medium-risk category (CVSS base score 4.0 to 6.9) that may have been disregarded by organizations, but that also had potential large-scale impacts similar to Heartbleed."

Sixty-seven percent of vulnerabilities disclosed during the first half of 2014 fell into the medium-risk level based on their assigned CVSS scores, according to the IBM report. This is similar to numbers seen in the previous two years.

In 2013, Carsten Eiram, the chief research officer at Risk Based Security, and Brian Martin from the Open Security Foundation, two researchers experienced in maintaining vulnerability databases wrote an open letter detailing CVSS shortcomings to the Forum for Incident Response and Security Teams (FIRST), the organization that maintains the standard.

"While CVSSv2 saw improvements over CVSSv1, the scheme is still not adequately supporting real life usage, as it suffers from being too theoretical in certain aspects," Eiram and Martin wrote in their letter. "Specific vulnerability types and vectors are not properly supported while others are not properly described, leading to subjective and inconsistent scoring, which CVSS was designed to prevent."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Forum for Incident Response and Security TeamspatchesOpen Security FoundationIBMsecurityRisk Based Securitypatch managementExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?