The type of coverage a vulnerability receives on social media often correlates to that threat’s level of risk, reveals a recent report. This is just one of the findings of the 2015 State of Vulnerability Risk Management, a study issued earlier this month by NopSec Labs, a data science and research company that specializes in analyzing malware, exploit, vulnerability and other cyber threat risk patterns. NopSec Labs published the report, which analyzes some 65,000 vulnerabilities stored in the National Vulnerability Database over the past 20 years, as well as a subset of more than 21,000 of those vulnerabilities identified across customers in all industries in order to evaluate the current state of vulnerability risk management across multiple industries. Three notable takeways of the report included:
- SaaS providers have the highest number of vulnerabilities per asset.
- Cloud/IT companies have the lowest average remediation time.
- The exposure a vulnerability receives on social media often corresponds to its level of risk and severity rating.
These observations reflect Gemalto’s finding that over a billion records were compromised by data breaches in 2014. NopSec explains that many of these breaches were caused by unmitigated vulnerabilities. Despite advances in detection technologies, these types of risks continue to proliferate due to a host of challenges, including a lack of data and labor-intensive tasks. It is worth exploring each takeaway in greater detail:
SaaS Providers Have the Highest Number of Vulnerabilities Per Asset
Source: NopSec NopSec’s report reveals that Security-as-a-Service (SaaS) providers have the highest number of vulnerabilities per asset at 18 unique risks. This is followed by six in the financial sector, three in healthcare, and two in education. When it comes to top vendors, Microsoft outranks all others in vulnerability count across all industries. This is no surprise in the financial sector given its widespread implementation on workstations and servers. Oracle, Sun, Adobe, and Red Hat are also represented in this particular industry. Regarding the healthcare, education, and cloud/IT industries, open-source technologies, including OpenBSD, Apache, and Red Hat, are among the most vulnerable platforms.
Cloud/IT Companies Have the Lowest Average Remediation Time
Another finding of the 2015 State of Vulnerability Risk Management report is the significant variability in industry remediation time, here defined as the time that elapses between opening and closing a vulnerability ticket. Cloud providers have the lowest average remediation rate at 50 days, with healthcare companies taking nearly twice as long (an average of 97 days) to remediate its vulnerabilities. Meanwhile, the financial and education sectors have the highest remediation times at both 176 days. Further analysis reveals even more striking differences. For example, it takes between one and six months to remediate more than a third (36%) of the financial industry’s vulnerabilities, with close to another third (32%) of that same sector’s risks remaining active for more than a year. In the healthcare industry, nearly all (96%) of vulnerabilities are remediated within six months, whereas the education sector takes between one and 12 months to address the sum total of its network risks. Meanwhile, 95% of risks uncovered by the cloud/IT industry receive attention within one month. This is important given NopSec’s finding that cloud and IT companies discover the greatest number of vulnerabilities per asset.
Source: NopSec
A Vulnerability’s Exposure on Social Media Often Corresponds to its Level of Risk and Severity Rating
Source: NopSec Finally, NopSec’s study suggests that there is a correlation between a vulnerability’s security risk and the number of mentions it receives on social media. On average, vulnerabilities used in a targeted malware campaign received 115 tweets. This is significantly higher than the social media coverage witnessed by exploitable (15 tweets) and other (5 tweets) vulnerabilities. The report also reveals a relationship between social media and a vulnerability’s Common Vulnerability Scoring System (CVSS) score. A direct correlation was not observed, but a clear trend was nonetheless evident, especially with regards to bugs like Heartbleed and Shellshock. This is in contrast to the direct correlation observed between a vulnerability’s severity rating and its social media exposure. “Critical” vulnerabilities received an average of 748 tweets, which dwarfed the coverage received by vulnerabilities labeled “high” (89 tweets), “medium” (8 tweets), and “low” (3 tweets).
Conclusion
As 2015 State of Vulnerability Risk Management illustrates, while the cloud/IT sector is able to quickly remediate the vast majority of its risks, the same cannot be said about the financial, healthcare, and education industries. Companies in these sectors would therefore benefit from investing in technologies that provide data context if and when the appropriate resources become available. These solutions would assist IT teams in prioritizing security risks and in ultimately lowering their organizations’ average remediation time. Title image courtesy of ShutterStock
