The pandemic had a big impact on the number of susceptibilities being exposed by cyber actors, to explore this further, Cyphere has analysed the statistics, comparing the figures to pre-pandemic years to highlight the effect Covid has had on cybersecurity.
A rise in digital transformation as a result of the pandemic led to companies purchasing new tech assets to support their staff working remotely.
These new technologies led to cybersecurity oversights that could have resulted in an increase in security exposures such as a lack of security validations before introducing the product to employees.
They analysed the number of vulnerabilities by year, to visualise the rise in exposures before and throughout the pandemic.
- 2018 – 16,509 vulnerabilities
- 2019 – 17,307 vulnerabilities
- 2020 – 18,351 vulnerabilities
- 2021 – 20,157 vulnerabilities
As seen above, the number of security exposures has steadily increased over the past four years. Until 2017, the figure had never reached 10,000 but less than five years later had doubled to over 20,000 security bypasses.
It signifies a huge shift in cyber protection, with the rise in cyber risks putting users and businesses at risk of data hacks.
They also examined the severity of the susceptibilities, they did this by using the CVSS (Common Vulnerability Scoring System) to determine whether the exposures were low, medium or high risks.
2021 saw the highest total number of exposures, with 20,157 across those twelve months. The severity of these exposures can be seen below:
- High risk: 4071 vulnerabilities
- Medium risk: 12,903 vulnerabilities
- Low risk: 3183 vulnerabilities
In comparison to 2021’s susceptibilities, 2020 registered a larger number of high-risk exposures with 4379, 308 more despite having fewer total susceptibilities.
Analysing the most common types of susceptibilities can be extremely useful in forming a response to the wave of cyber attacks, it can allow cybersecurity professionals to build a defence to counteract the breach.
Each security exposure is defined using the CWE (Common Weakness Enumeration), which is used to categorise the weakness, it serves as a baseline for exposure identification.
Frustratingly, throughout the pandemic, the highest number of vulnerability types were ‘NVD-CWE-noinfo’ meaning the security bypass was undefined.
The problem with undefined exposures is that the lack of information makes it difficult to put actions in place to avoid this reoccurring. There were over 3000 undefined susceptibilities in 2020 alone.
The number of exposures that were undefined grew between 2019 and 2020, it accounted for 13.49% of susceptibilities in 2019 and 19.35% in 2020.
When analysing the statistics from the pandemic, examining month-specific data can allow for more context in understanding the effect of Covid on cybersecurity.
The month-specific data revealed April 2020 was the worst month in terms of the number of cyber attacks. Across April, there were a total of 2209 attacks with 939 high-risk attacks and 302 critical risks. The lowest amount was the following month, May 2020 recorded 1058 attacks.
In 2021, April and June saw the highest number of vulnerabilities, April saw 1927 exposures whilst June recorded 1965 attacks. Between March 2020 and July 2021 there were a total of 27,887 vulnerabilities
Lastly, they analysed the products being targeted by cyber actors, worryingly they found that a number of Microsoft products were the primary target. Products such as Microsoft Exchange Servers and Microsoft MSHTML were being bypassed to gain access to personal details.
Harman Singh from Cyphere spoke on the report:
“This analysis of the NIST NVD entries during the pandemic presents a number of useful indicators for security and infrastructure teams. Digital and advanced transformations before and during the pandemic forces businesses to adopt digital solutions, at times bypassing standard approvals and change procedures. This is one of the added factors to the rise in cyber attacks.
“Although there has been increase in total vulnerabilities year on year basis, there are two ways to look at it – good news and bad news. There has been a decrease in critical risk vulnerabilities in 2021 compared to peak Covid months in 2020. Bad news is it's not just the numbers we need to look at, but looking at the impacted services is a worrying factor. It includes email, internal and external services of a corporate network including remote connectivity solutions such as VPN, security gateways.
“This is why organisations should look into vulnerabilities more than just a CVE. These factors include exploitation in the wild, data sensitvity levels related to the affected service and potential impact. Keeping the practical context into mind helps security teams analyse large amount of vulnerabilities in an efficient manner. This reduces the noise that sometimes consists of just CVE scores but are practically complex attacks or have complex dependencies before an exploit takes place.
“It underscores the importance of regular assessments such as penetration testing, vulnerability scanning and management and incident response preparation. Organisations should adhere to strong basics with proactive approach towards security, utilising the industry expertise to stay on top of ever changing threat landscape.”