Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Vulcan Cyber‘s latest research into vulnerability risk prioritization and mitigation programs found that IT security teams are struggling to transition from simple vulnerability identification to meaningful response and mitigation. Because of this, business leaders and IT management professionals are constrained in their ability to gain the important insights needed to effectively protect valuable business assets, rendering vulnerability management programs largely ineffective.
Risk without business context is irrelevant. The survey found that the majority of respondents tend to group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). This is concerning as risk prioritization based on infrastructure and application groupings without asset context is not meaningful. The inability to correlate vulnerability data with actual business risk leaves organizations exposed.
The vast majority of decision-makers reported using two or more of the following models to score and prioritize vulnerabilities: the common vulnerability scoring system (CVSS) at 71%, OWASP top 10 (59%), scanner reported severity (47%), CWE Top 25 (38%), or bespoke scoring models (22%). To deliver meaningful cyber risk management, a bespoke scoring model that accounts for several industry-standard scoring systems is ideal and most efficient.
The more control over risk scoring and prioritization a security team has, the more effective they can be in mitigating cyber risk. But there is no industry-wide framework for risk-based vulnerability management, which means cyber hygiene continues to fall short and vulnerabilities continue to generate risk.
Sensitive data exposure was ranked as the most common enterprise concern resulting from application vulnerabilities, as reported by 54% of respondents. This was followed by broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also indicated that the MS14-068 vulnerability, otherwise known as the Microsoft Kerberos unprivileged user accounts, was the most concerning vulnerability to their organizations. Interestingly, this vulnerability was called out over more high-profile vulnerabilities such as MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL, aka Heartbleed), and MS17-010 (EternalBlue).
Since this survey was conducted earlier this year, the Log4J or Log4shell vulnerability announced this week was not reflected in the report data. However, Vulcan Cyber is seeing how easy it is to exploit this vulnerability, with ransomware continuing to be a favorite playbook. This, yet again, underscores the importance of collaboration between business leaders and IT teams to effectively reduce cyber risk to their organizations through ongoing cyber hygiene efforts and well-executed vulnerability management programs.
Vulcan Cyber’s report is based on a survey of more than 200 enterprise IT and security executives conducted by Pulse.
Read the full report by Vulcan Cyber.