Vulnerability Disclosures Rise to Meet Federal Requirements
For all its other security milestones, 2021 was the year that vulnerability disclosures began to get their due, taking on greater importance across all sectors, but particularly in government where valid submissions rose 1,000% and in financial services and software, where they rose 82% and 73%, respectively.
In FinServ, the upswing was likely due to the industry’s attempt to shore up security after a rapid digital transformation while the government vertical saw its greatest increase in the third quarter where federal directives making vulnerability disclosure a requirement pushed agencies to up investment in crowdsourced security, according to Bugcrowd’s 2021 Priority One Report.
“Organizations need to have a proper understanding, and a continuous one, of their overall attacks surface,” said Casey Ellis, founder and CTO at Bugcrowd. “A [vulnerability disclosure program] VDP or a public bug bounty program is an ideal way to do this.”
It comes as no surprise that Bugcrowd found ransomware attacks ticked up during 2021 and that reimagining the supply chain was top of mind after they came under assault by miscreants. After all, organizations were still experiencing the effects of rushing their workforces home the year before when the pandemic suddenly shut down just about everything.
That placed a premium on crowdsourced ethical hacking, particularly in the financial services industry which saw a 185% jump in high-risk vulnerabilities.
Cross-site scripting (XSS), the report said, was the most commonly identified type of vulnerability. Ethical hackers were rewarded for their efforts—for example, payouts increased 106% in the financial services sector and 73% in software.
With one attack after the next occurring in rapid succession, many of which made the headlines, ransomware barreled past personal data breaches to become the top threat around the world last year.
And 2021 saw the nature of, or at least the thinking behind, advanced persistent threats (APTs) change. No longer simply defined by highly advanced tactics and clandestine operations, APTs used more pedestrian tactics, often attacking known vulnerabilities (seriously, patch those things!) which have come to be known as N-day exploits. Another shift in 2021: No longer do nation-state attackers try as hard to fly under the radar—a reflection of the degradation of diplomatic norms when it comes to hacking.
“Adversaries choose the path of least resistance: They’ll either exploit the human or exploit the system,” said Tim Wade, technical director, CTO team, Vectra. “Like all preventative controls, a strategy that relies solely on patching to remove risk must be correct every time or else some lingering, exploitable condition will persist. In that regard, unpatched vulnerabilities reflect both the nature of the difficulty of complete coverage of the task and the numbers game of an adversary just needing to find a single case of weakness to establish a foothold.”
Noting that “vulnerabilities will increase in number in line with the pace and scale of the tech we adopt, and we’ve come to expect and account for inherent risk in our digital lives,” Tal Morgenstern, co-founder and CPO at Vulcan Cyber, said, “The more concerning trend is a mounting pile of security debt we, as cybersecurity professionals, can’t seem to get ahead of. If IT security teams are leaving previous vulnerabilities unaddressed, the real, current number is cumulative and becoming harder and harder to defend against.”
Cybersecurity teams, he said, “need to do more than just scan for vulnerabilities.” We need to work together as an industry to better measure, manage and mitigate cybersecurity risk, or we will be crushed by a growing mountain of vulnerability debt.”
While Archie Agarwal, founder and CEO at ThreatModeler, said it’s not always the case “that the legitimate security researchers always find the vulnerabilities before the criminals,” he advised that “the industry focus must shift towards proactive continuous security in the design and build phase.”
As a recent study noted, he said, “91% of ethical hackers said that point-in-time testing cannot secure companies year-round.” But “only by leveraging automated threat modeling that weaves seamlessly throughout the SDLC will we start to truly tackle the scale of vulnerabilities being found.”
