Organizations take too long to fix security vulnerabilities
A new study from threat prediction and remediation specialist NopSec reveals key security vulnerability issues and highlights the length of time it takes for enterprises to fix problems.
NopSec analyzed more than 65,000 vulnerabilities contained in the National Vulnerability Database over a 20-year period, as well as a subset of more than 21,000 of those vulnerabilities identified across customers in all industries.
Key findings include that Microsoft and Apple dominate the vulnerability chart, based on the two-decade analysis, with Linux operating systems trailing behind. In addition, Adobe, Apple, Microsoft, Mozilla and Oracle face the most severe vulnerabilities.
While rapid vulnerability detection is at an all-time high, it still takes the typical organization too long to address known security issues. The average time it takes to fix a security vulnerability is 103 days. However, this varies by industry, while cloud providers respond fastest (50 days), followed closely by healthcare organizations (97 days), financial services companies and education organizations take a worrying 176 days to take corrective action. That means they're potentially exposing themselves to data breaches for almost six months. Even worse, nearly a third (32 percent) of security vulnerabilities take more than a year to fix in the financial industry.
Cloud providers are more exposed to attack with an average 18 vulnerabilities per asset. This contrasts with the six vulnerabilities per asset in financial services, three in healthcare and two in education. The type of vulnerability matters too, whilst application vulnerabilities are fixed within three weeks on average (20 days), network vulnerabilities are left unaddressed for a scary 182 days.
Interestingly although threats may be going unfixed within organizations, they're often well known on social media. The typical security vulnerability averages 115 social media mentions when there is a known malware exploit. However, that number increases when an exploit earns a "critical" risk severity rating based on the NopSec technical risk score. Critical vulnerabilities average 748 social media mentions, whereas high risk vulnerabilities rate only 89 mentions.
"Organizations are still very vulnerable to exploitation. Although businesses have been alerted of the potential risks, system vulnerabilities and misconfigurations continue to be the root causes for costly security breaches," says Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs. "Detection is simply not enough in today’s threat landscape of sophisticated attacks; organizations need to focus on improving threat prioritization. Vulnerability remediation efforts need to move much faster than they are right now in order to close the window of opportunity for exploitation and win the race against hackers".
More information on the study is available on the NopSec website.