Enterprises struggle to evaluate security risks
Many organizations rely on the Common Vulnerability Scoring System (CVSS) to evaluate cyber risks, but a new report suggests that relying on the score alone is not enough.
NopSec, a provider of cybersecurity precision threat prediction and remediation solutions, has released its 2016 State of Vulnerability Risk Management report. This suggests that in addition to CVSS, subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization.
"Relying only on the CVSS score to drive prioritization for applying patches needs to change. Organizations need to align the patching methodology to the infrastructure risk, business risk and change risk," said Arnold Felberbaum, strategic advisor to NopSec, former CISO, and adjunct professor in information security at NYU Tandon School of Engineering. "As NopSec points out in their research, CVSS needs to be complemented with industry intelligence, social media and measures already operating. Organizations need to recognize that it is not about 'if' a patch needs to be applied but when. Patching consumes resources and automation can reduce the resource drain".
Other findings include the value of social media to both sides in the conflict with Twitter becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted 9 times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities. NopSec's Unified VRM risk management platform incorporates Twitter data into its risk ranking evaluation.
The report also indicates that attackers care less about how easy a vulnerability is to exploit, and more about the actual impact and outcome of the exploited vulnerability. 75 percent of exploited vulnerabilities resulted in high data loss, while only 20 percent without a public exploit experienced complete data loss.
It also finds that exploit techniques are getting more sophisticated than ever. Exploit kits like Angler and Nuclear are becoming increasingly sophisticated, integrating a wide range of Microsoft, Adobe Flash, and Oracle Java exploits with 98 percent of the exploits tracked by FireEye coming from those three vendors.
You can find out more in the full report which is available to download from the NopSec website.