The number of IT vulnerabilities in software products increased by 20 percent in 2021: According to a recent security report, more than 66,000 verified vulnerabilities were reported. We will highlight the reasons for this increase, present the Top 3 critical vulnerabilities from last year and show you which IT security tools and measures you should use for your professional vulnerability management.
Rising number of IT vulnerabilities
When it comes to innovation, growth and future-oriented development, modern software offers companies enormous potential. At the same time, it harbors more risks due to its increasing complexity – not a day goes by without new vulnerability reports on relevant security portals. In total, more than 66,000 verified software vulnerabilities were reported in 2021, a 20 percent increase over the previous year. That’s according to a recent report from security platform Hackerone, which connects companies with penetration testers, cybersecurity researchers (forensic scientists) and ethically-motivated hackers to coordinate and troubleshoot IT security vulnerabilities. According to the report, the number of notified vulnerabilities through pentests – meaning company-authorized attacks by contracted IT security experts – has actually increased by 264 percent.
This is why we see more and more IT vulnerabilities
The significant increase in vulnerabilities can initially be attributed to the accelerated digital transformation of companies in response to the corona pandemic and an associated increase in the attack surface. Decision-makers had to find new solutions within a short period of time to secure ongoing business and digitize analog processes. New technologies such as cloud computing were hastily introduced in many places, creating new security gaps.
In addition, the growing use of new IT products increases the administrative effort required for a company’s own IT infrastructure, as the products used should always be kept up to date. If this is not implemented, companies potentially use IT products that have errors or vulnerabilities – even though these have already been fixed by the manufacturer.
However, according to the aforementioned security report, the increase in vulnerabilities can also be linked to growing security awareness. Companies are increasingly recognizing the relevance of security measures that enable professional external assessment – for example, in cooperation with the DGC.
But which security vulnerabilities turned out to be particularly critical last year? DGC security experts have compiled the Top 3 vulnerabilities from 2021 that enabled thousands of systematic and repeatable cyberattacks on companies – illustrating the enormous scope of hacker attacks in the increasingly connected work environment.
Log4Shell: 1st IT vulnerability
- Official name according to CVE referencing system: CVE-2021-44228
- Affected systems: All systems that use Apache Log4Shell
- Mitigation options: Patching, i.e. software update, of the corresponding systems and applications
- Software patch available: Depending on the vendor – yes
Log4Shell, CVE 2021-44228, is a vulnerability in the widely used Java logger Log4j, which is part of the Apache Logging Service, among others. Due to the wide distribution of Log4j, the vulnerability had and still has a very large impact on companies and their deployed software solutions.
ProxyShell: 2nd IT vulnerability
- Official names according to CVE referencing system: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207
- Affected systems: Microsoft Exchange Server – not Cloud
- Mitigation option: Update Exchange Server
- Software patch available: Yes
ProxyShell identified with CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 is a series of vulnerabilities in Microsoft’s Exchange email server software, which is primarily used in companies. Besides being easy to exploit, this vulnerability is characterized by the fact that an attacker can gain wide-ranging system privileges through it.
CVE-2021-2198: 3rd IT vulnerability
- Affected systems: VMWare vCenter
- Mitigation option: Update VMWare vCenter
- Software patch available: Yes
CVE-2021-21985 does not have a specific name, but it still has a major impact. This is because the affected software VMWare vCenter is mainly used in the enterprise sector for the virtualization of systems. The vulnerability allows attackers to cause great damage in virtualized environments – with comparatively easy exploitability of the vulnerability.
Professional vulnerability management reduces risks
These TOP 3 vulnerabilities in 2021 illustrate that associated threats can usually be averted – as long as internal IT staff know that their company’s systems and applications are affected and software vendors already offer concrete remediation options in the form of patches (updates).
If you want to minimize risks, you are well advised to continuously monitor your own system landscape with IT security tools such as cyberscan.io® provided by DGC and to keep an eye on the current security status with pentests.
Professional vulnerability management is also important because vulnerabilities are not only found in software products. They are often the result of human error – for example, in the configuration of applications and systems or in the careless handling of phishing e-mails. Here, certifications from software providers or targeted IT Security Awareness Trainings can provide a remedy.
In order to relieve internal IT teams, cooperation with the Cyber Defense Operations Center (CDOC) of DGC is also an option: The security analysts bundle expertise from different IT security areas with automated problem detection: By using the tool cyberscan.io®, a comprehensive view of systems as well as vulnerabilities is enabled, thus accelerating the response capability.
IT vulnerabilities – forecast for 2022
Some of the previously mentioned vulnerabilities, such as Log4Shell, will continue to preoccupy companies in 2022 – sometimes resurfacing because they have not yet been properly addressed (patched). In addition, criminal activities such as web service attacks, phishing and identity theft are generally expected to continue at a high level.
At the same time, new security vulnerabilities will arise: However, predicting possible software vulnerabilities proves to be a glimpse into a crystal ball, which is why companies should attach high relevance to the all-round protection of their IT infrastructure.
Would you like to learn more about identifying and closing existing security gaps at an early stage with cyberscan.io as well as our CDOC team and thus reducing IT risks? Contact us – we will be happy to advise you personally.