Saying "only 2.6% of these ever ended up practically exploited" is all well and good after the fact. If you can't tell me _which_ 2.6% I need to care about as the reports come in, or indeed how severe the resulting impact is, then we can't really use that to be any smarter in how we respond to them.
While the infosec industry is used to reading (and pumping out) FUD about software vulnerabilities, eye-catching research suggests about 500 vulns were exploited in 2019 – despite 18,000 new CVEs being created. Kenna Security, a US infosec firm, reckons that despite thousands of vulnerabilities being assigned a Common …
Thursday 18th February 2021 19:12 GMT Throatwarbler Mangrove
These exploits are just like the flu! I'm not going to waste resources needlessly patching my systems, changing configurations, or employing anti-malware tools, and I'm certainly not going to quarantine my environment just because we've had a ransomware attack and so-called "experts" claim that my system will never recover! You might take my data, but you'll never take my FREEDOM!
Friday 19th February 2021 01:42 GMT HildyJ
Non governmental malware shops and solo hackers have the same problem that IT shops have - limited programmers and limited resources.
They use the vulnerabilities as long as they work.
Unfortunately, it doesn't make IT's job any easier because there's no way to predict what the next exploit will be.
Friday 19th February 2021 17:25 GMT Falmari
Only so many hours in the day
My thoughts when I first read the article. There are only so many hours in the day only 2.6 are exploited because there are so many to choose from.
They will be used until they are fixed but then it is anyone's guess which of the unused 97.4% they will use next.
Friday 19th February 2021 23:40 GMT NonSSL-Login
Lies, damn lies and statistics
How many of those 18,000 were local exploits rather than remote?
How many of the exploits were auth bypass or remote code execution vs some cross script issue that needs interaction from an admin while logged in?
How often were the same RCE and privilege escalation used because no other exploits were needed?
My honour, I rest my case.