Out of the top five vulnerabilities for 2020 three dated back to 2019 or earlier, according to infosec firm Tenable's annual threat report.
While Zerologon was the company's number one insecurity for 2020, the hoary old Pulse Secure VPN vuln (CVE-2019-11510) was number three, while flaws in Citrix and Fortinet connectivity platforms dating from 2019 and 2018 respectively were also up there.
"As long as unpatched vulnerabilities remain a problem for organizations, you can expect us to keep harping on about them," said Tenable in its 2020 Threat Landscape Report, published today. "This low-hanging fruit is favoured by nation state actors and run-of-the-mill cybercriminals alike."
During the annus horribilis that was 2020, Tenable reckoned that in excess of 18,000 vulnerabilities were reported, saying this was a 6 per cent increase year-on-year and a 183 per cent increase from 2015. While concerning, this could perhaps be explained by last year's wholesale shift to remote working prompting a wave of research (and exploitation) focused on VPNs and remote-working tech.
"Every day, cybersecurity professionals in the UK and the rest of the world are faced with new challenges and vulnerabilities that can put their organisations at risk. The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface," said Satnam Narang, a staff research engineer at Tenable.
Lest anyone start breathing a sigh of relief that their VPNs are all up to date with security patches, however, you still need to worry about that perennial favourite – ransomware. Quoting former US CISA director Chris Krebs, Tenable warned that ransomware "is the most visible, disruptive threat today," adding:
"The ramifications are not only linked to service disruptions and downtime for employees. When the exposure of proprietary or customer information becomes a bargaining chip leveraged by ransomware groups, the stakes are even higher."
Last year ransomware soared in popularity, with companies being completely reliant on their IT networks functioning flawlessly. Tenable added that even plain old denial-of-service attacks became a bigger threat in 2020 than they had been for some years, thanks in part to the inevitable addition of ransom demands.
"Furthermore, the threat of sustained denial of service attacks against an organization's website, their primary communications channel, puts even more pressure on the victims to pay up," it said.
Tenable also said that 22 billion user records were exposed in data breaches over the year, though at such scale it is impossible to tell whether those were new records or previously stolen data circulating around the murkier corners of the internet. ®