Tenable's analysis of data breaches in 2020 reveals over 22 billion records exposed

This analysis has been published in Tenable's 2020 Threat Landscape Retrospective (TLR) report which provides an overview of the key vulnerabilities disclosed or exploited in the 12 months ending December 31, 2020

  
Satnam Narang, Staff Research Engineer at Tenable

Satnam Narang, Staff Research Engineer at Tenable

Dubai, UAE: Analysis of breach data by Tenable’s Security Response Team (SRT) has revealed that, from January through October 2020, there were 730 publicly disclosed events resulting in over 22 billion records exposed worldwide. Thirty five percent of breaches analyzed by Tenable were linked to ransomware attacks, resulting in tremendous financial cost, while 14% of breaches were the result of email compromises. One of the overarching themes of the threat landscape in 2020 was that threat actors relied on unpatched vulnerabilities in their attacks as well as chaining together multiple vulnerabilities as part of their attacks. This analysis has been published in Tenable’s 2020 Threat Landscape Retrospective (TLR) report which provides an overview of the key vulnerabilities disclosed or exploited in the 12 months ending December 31, 2020.

As organizations around the world prepare to face the new cybersecurity challenges looming in 2021, it’s crucial to pause and take a look back at the most critical vulnerabilities and risks from the past year. Understanding which enterprise systems are affected by the year’s vulnerabilities can help organizations understand which flaws represent the greatest risk.

From 2015 to 2020, the number of reported common vulnerabilities and exposures (CVEs) increased at an average annual percentage growth rate of 36.6%. In 2020, 18,358 CVEs were reported, representing a 6% increase over the 17,305 reported in 2019, and a 183% increase over the 6,487 disclosed in 2015. Prioritizing which vulnerabilities warrants attention is more challenging than ever. Two notable trends from the report are:

  • Pre-existing vulnerabilities in virtual private network (VPN) solutions many of which were initially disclosed in 2019 or earlier continue to remain a favorite target for cybercriminals and nation-state groups.
  • Web browsers like Google Chrome, Mozilla Firefox, Internet Explorer and Microsoft Edge are the primary target for zero-day vulnerabilities, accounting for over 35% of all zero-day vulnerabilities exploited in the wild.

Fixing unpatched vulnerabilities, implementing strong security controls for remote desktop protocol, ensuring endpoint security is up-to-date and regularly performing security awareness training are steps organizations can take to thwart some of these attacks.

“As defenders, it’s difficult enough to prioritize remediation given the hundreds of vulnerabilities released on Microsoft’s Patch Tuesday every month and Oracle’s Critical Patch Update each quarter. Add in the impact from COVID-19 for defenders trying to protect their newly remote workforce and you have a recipe for chaos,” said Satnam Narang, Staff Research Engineer at Tenable. “Security teams know to pick their battles, but when there is a flurry of vulnerabilities with a CVSSv3 score of 10.0 released within weeks of each other, the battles are being chosen for you and they’re happening simultaneously. In order to manage vulnerability overload, you’ll need to take inventory of your entire network, identify your most critical assets and ensure they receive patches in an appropriate time frame. Additional indicators, such as CVSSv3 scores and the availability of PoC exploit scripts, can provide further insight into  whether or not  a vulnerability is more likely to be exploited in the wild, helping your team focus first on the most severe threats facing your network.”

Throughout the year, Tenable’s Security Response Team tracks and reports on vulnerabilities and security incidents, providing guidance to security professionals as they plan their response strategies. The team’s work gives them the opportunity to closely observe the ever-changing dynamics of the threat landscape.

"If we learnt anything from 2020 it is that we are all reliant on the infrastructure and supply chains underpinning modern society be it agriculture, pharmaceutical development, and food and beverage manufacturing especially in times of crisis. Unfortunately, threat actors are also looking for ways to capitalise on any lowering of defences," said Maher Jadallah, Regional Director - Middle East. "The challenge might appear insurmountable particularly given the ever-expanding attack surface of IT, operational technology (OT) and internet of things (IoT) devices. Given the reliance of threat actors on unpatched vulnerabilities, it is increasingly obvious that vulnerability management has a central role to play in modern cybersecurity strategies." 

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2021

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.


More From Press Releases