NopSec Report Finds Organizations Use Inadequate Risk Evaluation Scoring System

NopSec released a featured annual report, “2016 State of Vulnerability Risk Management.” The report reveals key security threats by industry, cross-industry remediation developments, malware-based vulnerabilities, and the rising correlation of social media and security threats. Conducted by the NopSec Labs research team, the report analyzes over a million unique vulnerabilities and more than 76,000 vulnerabilities contained in the National Vulnerability Database over a 20-year period. Get the report now.

“Our goal with the dedicated data science and security research efforts is to provide organizations with a deeper data-driven insight to the current threat landscape, and more importantly, what practical actions companies can take to effectively prioritize and remediate security risks,” noted NopSec’s CEO, Lisa Xu. “Our ultimate mission is to help and empower organizations to make better decisions to reduce their cybersecurity exposure.”

In the 2016 Report, NopSec partnered with FireEye Labs to evaluate the malware-based risk of vulnerabilities and their potential risks to be “weaponized” by active malware in the wild.

“Vulnerability management and mitigation can be more effective and prioritized on vulnerabilities used by malicious attackers in the wild where critical assets are exposed,” said Geok Meng Ong, director, FireEye Labs, FireEye.

Top findings include:

The CVSS base score is not enough – Relying solely on the CVSS Base Score makes it impossible to prioritize vulnerability risks, but its subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization.

Social media is now a top platform for cybersecurity – Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted 9 times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities. NopSec’s Unified VRM is the only vulnerability risk management platform in the industry that incorporates Twitter data into its risk ranking evaluation.

Hacking difficulty won’t stop a hacker – The report indicates that attackers care less about how easy a vulnerability is to exploit, and more about the actual impact and outcome of the the exploited vulnerability. 75% of exploited vulnerabilities resulted in high data loss, while only 20% of vulnerabilities without a public exploit experienced complete data loss.

Exploit techniques are more sophisticated than ever – Exploit kits such as Angler and Nuclear are becoming increasingly sophisticated, integrating a wide range of Microsoft, Adobe Flash, and Oracle Java exploits with 98% of the exploits tracked by FireEye coming from those three vendors.

“Relying only on the CVSS score to drive prioritization for applying patches needs to change. Organizations need to align the patching methodology to the infrastructure risk, business risk and change risk,” said Arnold Felberbaum, Strategic Advisor to NopSec, former CISO, and adjunct professor in Information Security at NYU Tandon School of Engineering. “As NopSec points out in their research, CVSS needs to be complemented with industry intelligence, social media and measures already operating. Organizations need to recognize that it is not about ‘if’ a patch needs to be applied but when. Patching consumes resources and automation can reduce the resource drain.”

From the outset, NopSec has focused on pioneering a way to measure vulnerability risk based on threats to the organization’s valuable assets in an event of a potential breach. NopSec’s award-winning Unified VRM SaaS platform utilizes patented Adaptive Expert Intelligence Engine to detect and prioritize threats, and automate the remediation workflow.

“The security industry has been in need of a reality check on vulnerability data for some time,” said Adrian Sanabria, Analyst for 451 Research. “We’ve been vocal about the dangers of taking CVSS scores at face value and the need to correlate vulnerabilities with real world threat intelligence and expert experience. NopSec has taken this approach and explores the relationships between CVSS scores, social media activity, threat data courtesy of FireEye, and data from NopSec’s own customer base. The results should make companies think twice before spending considerable time and budget, fixing a vulnerability labeled ‘critical’.”

Download the 2016 State of Vulnerability Risk Management Report to explore the findings in more detail.