Study: Organizations taking months to remediate vulnerabilities

NopSec analyzed all the vulnerabilities in the National Vulnerability Database and then looked at a subset of more than 21,000 vulnerabilities identified in all industries across its client network.
NopSec analyzed all the vulnerabilities in the National Vulnerability Database and then looked at a subset of more than 21,000 vulnerabilities identified in all industries across its client network.

On average, nearly half a year passes by the time organizations in the financial services industry and the education sector remediate security vulnerabilities, according to new research from NopSec.

For the study, the security firm analyzed all the vulnerabilities in the National Vulnerability Database and then looked at a subset of more than 21,000 vulnerabilities identified in all industries across NopSec's client network, Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs, told SCMagazine.com in a Tuesday email correspondence.

According to the findings, organizations in the financial services industry and the education sector remediate security vulnerabilities in 176 days, on average. Meanwhile, the healthcare industry takes roughly 97 days to address bugs, and cloud providers fix flaws in about 50 days.

“Based on conversations with our clients in the financial sector, it's taking them 176 days to fix vulnerabilities because they are in a highly regulated sector that imposes strict procedures in terms of change management and enforces strict time windows for security patch application,” Sidagni said. “This slows down the process of remediation considerably.”

The process needs to speed up – Sidagni said that even 50 days to remediate a vulnerability is still quite a bit of time, especially considering that skilled attackers can create ad hoc exploits from known vulnerabilities in just a few days.

The answer may lie in better prioritization, Sidagni said. He explained that organizations are relying too much on just the Common Vulnerability Scoring System (CVSS) score to measure risk associated with vulnerabilities, and are not looking at other factors such as whether exploits are publicly available or whether malware is targeting a specific vulnerability.

Sidagni added that many organizations are still managing vulnerabilities using Excel spreadsheets and other disparate systems, so there is no unified view for teams tasked with remediation. More automation in areas such as task management, as well as integrating testing and remediation into SecDevOps cycles, can help improve the process, he said.

Also in the report, NopSec analyzed which industries have the most vulnerabilities per asset, which means the average number of vulnerabilities present on each host. Cloud/IT providers had an average of 18 vulnerabilities per asset, while the financial services industry had six and the healthcare sector had three.

“This is probably due to the fact the Cloud/IT provider have a greater use of open source solutions as well as a wider array of software solutions in order to accelerate their deployment flexibility,” Sidagni said. “That, in turn, contributes to the number of vulnerabilities per each host.”

Additional analysis went into the correlation of vulnerability criticality with the number of Twitter mentions. Vulnerabilities targeted by malware had an average of 115 mentions on Twitter, and vulnerabilities considered critical by NopSec had an average of 748 tweets.

“The social media analysis indicates there is a direct correlation between the risk of a security vulnerability and its social media mentions, regardless of the vulnerability's CVSS score classification,” Sidagni said. “For example, Heartbleed had a CVSS score rated as medium, but it is one of the most talked about vulnerabilities in social media.”

He added that the “CVSS score is often a weak indicator of the true vulnerability risk organizations are facing. Correlation with publicly available exploits, malware found in the wild, and mentions in social media are better indicators of real vulnerability risk.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS