Only one in 20 vulnerabilities are exploited in the wild, claim researchers

Of 76,000 security flaws unearthed between 2009 and 2018, only 4,183 were exploited in the wilds by attackers

Only 5.5 per cent of all vulnerabilities present in computing systems are ever exploited in the wild.

That's according a new study by a joint team of researchers from Cyentia, RAND Corporation, and Virginia Tech, who conducted the study in collaboration with Kenna Security - a US-based vulnerability and threat management firm.

In the study, researchers analysed 76,000 security flaws unearthed between 2009 and 2018, and found that just 4,183 of them (about 5.5 per cent) were actually exploited in the wild by hackers.

According to ZDNet, the researchers could not find any correlation between the published proof-of-concept exploit code on websites and the commencing of exploitation attempts.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

Of the 4,183 vulnerabilities that were exploited, only 50 per cent of them had exploit code available on public websites, which suggests that attackers are willing to exploit some specific flaws and can also develop their own exploits, if needed.

Another interesting finding of the research was that most flaws exploited in the wild had a high CVSSv2 severity score of 9 or 10. Flaws with CVSSv2 score of 10 are considered both easy to exploit and dangerous.

This finding indicates that vulnerabilities with higher CVSSv2 score have more chances of being heavily exploited by attackers, notwithstanding the availability of exploit code on public websites.

Researchers analysed 76,000 security flaws unearthed between 2009 and 2018, and found that just 4,183 of them were actually exploited in the wild by hackers

The researchers used multiple sources to compile the data for the study. They included NIST's National Vulnerability Database, the SANS Internet Storm Centre, FortiGuard Labs, ReversingLabs metadata, Alienvault's OSSIM metadata, Contagio, Exploit DB, and Secureworks CTU.

Kenna Security provided the research team a count of the occurrence of each flaw obtained through scanning of hundreds of corporate networks.

The detailed findings of the research are available in a white paper entitled, 'Improving Vulnerability Remediation Through Better Exploit Prediction' presented this week at the 2019 Workshop on the Economics of Information Security in Boston, Massachusetts.

"Our work contributes to the literature on the economics of information systems, and computer science literature on vulnerability remediation," the researchers wrote in the paper.

"In addition, we believe this work has significant implications for decision makers when assessing cyber security risk, to include firms, federal agencies, and national security policy makers," they added.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.