Which IT assets present the most risk?
New research from vulnerability management specialist Kenna Security seeks to quantify the comparative risk of using assets based on Microsoft, Apple, Linux, or Unix platforms, as well as network devices.
The study finds that asset mix plays a key role in determining the number of security vulnerabilities an organization has to contend with every month along with its ability to minimize cyber risk.
"This research sheds light on some of the big questions in enterprise environments and vulnerability management. Are some assets riskier than others?" says Ed Bellis, co-founder and CTO at Kenna Security. "Some assets have fewer vulnerabilities. Some assets receive lightning-fast patches. These groups don't really overlap. The data we're sharing can help enterprise IT and security better decide how to prioritize asset-based risk in their own environments."
Among the detailed findings are that 70 percent of all Microsoft assets in enterprise IT environments had at least one high-risk vulnerability, but Microsoft products tended to be patched faster than other systems because of the company’s steady flow of automated patches. A Windows-based asset has an average of 119 vulnerabilities per month. Those vulnerabilities are patched within 36 days on average. For comparison, network devices like routers, printers, or Internet of Things appliances had an average of 3.6 vulnerabilities every month, but it takes an average of one year to fix them.
But in spite higher patch rates, the sheer number of Microsoft machines leads to large numbers of unpatched vulnerabilities on those networks. In the study period, researchers found a combined 215 million vulnerabilities on Microsoft machines, 179 million of which were patched. The remaining 36 million unpatched vulnerabilities on Microsoft machines exceeds the total number of vulnerabilities -- patched or unpatched -- found on Mac, Linux, Unix, or network devices put together.
Apple devices using OSX had the second-highest critical patch rate of all asset classes, at 79 percent, while just two-thirds of high-risk vulnerabilities on Linux, Unix, or network devices were patched.
You can find out more on the Kenna blog.