Vulnerability remediation is having a major impact as security teams face fatigue from the growing number of publicly disclosed vulnerabilities.
According to an analysis by S&P Global Ratings, a joint venture between S&P Global and cyber risk analysis firm Guidewire, nearly three-quarters of organizations remediate vulnerabilities that affect their systems occasionally or infrequently.
“Our analysis suggests that some of the organizations we rate may be slow to address highly targeted cyber threats, increasing the risk of computer systems being compromised,” said Paul Alvarez, lead cyber risk expert at S&P Global Ratings.
The analysis, which used GuideWire’s scan of computer systems facing the Internet in 2023, considered vulnerability data for more than 7,000 organizations in the financial and business sectors.
Repair is slow
An analysis that looked at 2023 vulnerability scans for systems within the “attack zone,” which refers to computer systems that are connected to the Internet and easily accessible, found that 30% of organizations remediate these vulnerabilities “occasionally.”
More than 40% of organizations were found to be making “unusual” fixes, indicating that seven out of ten organizations are guilty of bad fixes for high-risk errors.
The increasing frequency of vulnerabilities found makes it difficult to determine what needs to be fixed, according to the report. Prioritization based on the Traditional Common Vulnerability Scoring (CVSS) system can also make security worse by contributing to repair delays.
Prioritizing may not always be enough
The CVSS system provides a standardized method for classifying vulnerabilities that takes into account factors such as how it can be exploited, the difficulty of exploitation, the privilege required, the user interaction required, and the level of impact of the exploitation.
This system may be missing additional metrics that would be useful for more accurate prioritization. The report gives consideration to the Exploit Prediction Security Score (EPSS) system, created by a group of incident responders and security experts called the Forum of Incident Response and Security Teams (FIRST).
“EPSS collects as much vulnerability information as possible, as well as evidence that vulnerabilities are being exploited,” Alvarez explained. “This includes (but is not limited to) information about the vulnerability itself, availability of exploit code, communication about the vulnerability on social media, and data from offensive security tools and scanners.”
EPSS works with a trained model to analyze all the information collected and generate opportunities for exploitation, he added.
The vulnerability observed in the analysis averaged a CVSS score of 4.87 out of 10 with a 0.33 (on a scale of 0 to 1) EPSS rating. While this may make the EPSS system look a little forgiving, Alvarez has a different explanation.
“Since the CVSS and EPSS scores look at disability differently, it’s not an apples-to-apples comparison,” he said. “CVSS scores do not look at real-world threat data. Therefore, vulnerability may have high CVSS scores but low EPSS scores. That is why both points must be considered when trying to prioritize risk management.”
Age of vulnerability plays a role
Old vulnerabilities get repeated exploits because of their chances of success, according to the report.
Therefore, the analysis reveals a great threat, with 28% of the detected risks from 2016, seven years ago. About 75% of these weaknesses were publicly disclosed seven or more years ago, with the oldest being 24 years old.
This continued exploitation of aging disabilities underscores the critical need for timely and effective management of frailty. Improper adjustments, as revealed in the analysis, may also indicate more weaknesses in overall management and control, the report said.
Source link