Recently, China's National Information Security Vulnerability Sharing Platform (CNVD) released a report, the overall content is based on the vulnerability data released by the China National Information Security Vulnerability Database (CNNVD) in 2022, statistics on the number of growth, type, severity level, repair and attack hazards, etc., analyze and judge the development trend and characteristics of vulnerabilities, and study and propose the work ideas of vulnerability prevention and mitigation.
In 2022, nearly 25,000 new vulnerabilities were added, reaching a record high, maintaining a continuous growth trend. The proportion of ultra-high-severity vulnerabilities continues to rise, the vulnerability repair rate has increased significantly, and the threat situation in the face of vulnerabilities is still grim. The overall situation has undergone new changes, showing the characteristics of the number of high-risk vulnerabilities breaking new highs, zero-day competition highlighting new offensive and defensive contests, unilateral vulnerability management and control disrupting the international order, and cyber hegemonism impacting cyberspace rights and interests, making the overall situation of cybersecurity more complex and severe.
Regarding the disclosure of vulnerabilities. In 2022, nearly 25,000 new vulnerabilities were added, reaching a record high, maintaining a continuous growth trend. The proportion of ultra-high-severity vulnerabilities continues to rise, the vulnerability repair rate has increased significantly, and the threat situation in the face of vulnerabilities is still grim. As of 2022, CNNVD has released a total of 199465 pieces of vulnerability information, and 24,801 new pieces of vulnerability information will be added in 2022. From the perspective of vulnerability hazards and repairs, among the new vulnerabilities in 2022, there were 4,200 ultra-dangerous vulnerabilities, 9,968 high-risk vulnerabilities, 10,146 medium-risk vulnerabilities, and 487 low-risk vulnerabilities, with corresponding repair rates of 54.86%, 79.65%, 76.13%, and 91.38%, respectively, and the overall repair rate was 77.76%. From the perspective of vendor distribution, Google is the vendor with the largest number of product vulnerabilities in 2022, with a total of 1411 new vulnerabilities, and the second place is Microsoft number of vulnerabilities is 963. From the perspective of vulnerability types, there were 3217 cross-site scripting vulnerabilities, accounting for 12.97% of the total, accounting for the highest proportion.
Regarding vulnerability trend analysis. With the advancement of global digitalization, networking and intelligence, the number, severity and attention of network security vulnerabilities are soaring, and the development of the digital economy is facing escalating challenges in the field of network security.
Among them, the number of high-risk vulnerabilities has reached a new high. From 2018 to 2022, the number of vulnerabilities continued to grow for five consecutive years, with the number of new vulnerabilities in 2022 reaching the highest ever, an increase of 52% over 2018, and the number of ultra-high-risk vulnerabilities doubled from 2018.
The figure shows the comparative statistics of the number of new vulnerabilities and the number of ultra-high severity from 2018 to 2022
In 2022, the growth rate will accelerate significantly compared with the previous year, and the growth rate of the number of ultra-high-risk vulnerabilities will increase simultaneously, and the proportion of ultra-high-risk vulnerabilities in 2022 will be 57%, a large increase over previous years. Statistics on the growth rate of new vulnerabilities and ultra-high-risk vulnerabilities from 2018 to 2022.
The figure shows the growth rate of the number of vulnerabilities and the growth rate of ultra-high risk from 2018 to 2022
According to the overall statistics of the monthly data of the past five years, the number of new vulnerabilities in each year generally ranked at a high level in April, October and December, and was relatively low in February, May and November.
The figure shows the monthly distribution of the number of vulnerabilities from 2018 to 2022
Suggested next steps:
The first is to promote international cooperation mechanisms for vulnerability management, hedge cyber hegemony, and build a community with a shared future in cyberspace. Digital transformation is a global economic development trend, the global digital supply chain is intertwined, unilateral supply and prohibition is not in line with the development concept of win-win cooperation, providing high-quality digital technology and continuously ensuring product safety and performance in a responsible manner is the long-term plan to expand the international market. In particular, it is necessary to establish a guarantee mechanism for the timely sharing of vulnerability information with suppliers of core basic digital products, jointly create international vulnerability norms and standards, lead new rules of the international vulnerability governance system, and maximize security rights and interests.
The second is to promote the smooth national mechanism for vulnerability governance, and coordinate the establishment and improvement of the vulnerability governance system. Vulnerability governance is a key link to solve the problem of transmission of non-traditional security risks to traditional security risks, the basis for improving national security governance capabilities, and an important strategic task to maintain national security. The key and fundamental of vulnerability governance is to rely on the working mechanism of unified deployment at the national security level, clarify the function of vulnerability governance, build governance capabilities such as basic research, discovery and detection, risk assessment, and talent management, and coordinate and promote the construction of vulnerability risk governance system to achieve effective management and control of vulnerability risks.
The third is to create a good ecological environment for loopholes, and promote the research and application innovation of vulnerability technologies. The vulnerability industry is an important pillar of vulnerability risk governance, on the basis of severely cracking down on the black production chain, reasonably guide upstream output, increase the access and supervision of midstream participants, use policy support to encourage downstream enterprises to actively apply innovation, plan and lay out the overall development direction of the industry, effectively improve industrial efficiency, and give full play to the important role of industrial vulnerability governance.
Fourth, strengthen the construction of vulnerability awareness mechanisms and means to improve network security defense capabilities. Once major risk vulnerabilities are disclosed, it is difficult for large organizations to immediately complete the repair of vulnerable assets of the entire network. In the field of key infrastructure, it is necessary to do a good job in the management of key infrastructure network assets and achieve "clear numbers". Relevant departments shall coordinate and organize technical forces to carry out the pooling of resources for vulnerability attack characteristics, strengthen the capacity building of vulnerability attack identification, effectively support the cybersecurity protection of national critical infrastructure, and relevant law enforcement departments shall prevent and combat various illegal and criminal activities such as sabotage, theft, and espionage carried out by using vulnerabilities at home and abroad.
Fifth, accelerate the formulation of vulnerability standards and system construction, and consolidate basic research capabilities on vulnerabilities. Although vulnerabilities are inevitable, effective management and technical means can reduce the number of vulnerabilities, reduce the level of vulnerability risk, and improve the security performance of digital products. Establish and complete a system of vulnerability management standards, compile a series of standards such as vulnerability risk levels, classifications, and security testing, and provide a technical basis for the construction and implementation of vulnerability risk assessment mechanisms. (Guangming Network reporter Wang Yihan)
Source: Guangming Web