2016 State of Vulnerability Risk Management Report: Security and Vulnerability Management & Other Topics
Companies are facing more potential vulnerabilities than ever before, but they may be relying on outdated means when it comes to security vulnerability assessment. Risk management is a complicated process that requires precise data and informed decision-making. As these threats become more common and effective, organizations of all sizes can’t afford to rely on traditional methods of risk assessment without taking steps toward remediation.
We analyzed the state of vulnerability risk assessment in 2016 and found that companies need to do more to protect themselves from cyber threats. Learn more about the 2016 State of Vulnerability Risk Management Report from NopSec.
The State of Vulnerability Risk Management in 2016
Most companies scan for potential vulnerabilities using the Common Vulnerability Scoring System (CVSS), but this method may not be enough to protect the company’s assets from a potential breach. The CVSS is aimed only at reporting for compliance and the remediation of security vulnerabilities is sporadic at best. This leaves many companies unable to remedy possible vulnerabilities.
By and large, vulnerability management programs are driven by the need to document and report on vulnerabilities for compliance purposes. They are typically measured in terms of lower overall vulnerability count. Thus, the current methodology for classifying vulnerabilities based on criticality lacks the necessary context to establish a set of actionable priorities and lacks predictive value.
Another problem is the sheer volume of scanner output. Companies often lack the resources to make sense of this data, let alone act on it by remediating the potential vulnerability.
Organizations often feel that these vulnerability management programs are simply too time-consuming or manually intensive to use properly, which means they could miss crucial steps in remediation: applying patches and making security configuration changes.
Additionally, many companies lack the supplement or contextual information needed to remediate the latest software vulnerabilities. They often don’t understand how these potential risks affect their business or what steps should be taken to patch the system. Information overload isn’t the solution. Companies need to find a way to prioritize certain information while looking at the complete picture in order to protect themselves from a potential breach.
Analyzing the CVSS
The CVSS (common vulnerability scoring system) remains a key asset for risk assessment management. It creates a common weakness enumeration based on the identified vulnerabilities. However, many companies make the mistake of looking at the CVSS score in isolation without considering external or supplementary factors, especially if the system puts out a high volume of critical vulnerabilities.
The CVSS is meant for use by a range of industries and organizations, which means the results are rarely tailored to the individual company. The CVSS gives all security factors equal weight to create a balanced risk assessment report. But weighting all critical vulnerabilities with equal risk has the practical outcome of prioritizing none. Vulnerability management programs must have a prioritized set of vulnerabilities, driven by insights into the relative risk to the organization, to operate effectively. The challenge is compounded by the relative lack of visibility into asset infrastructure and frameworks to assign a business value to the asset where vulnerabilities have been identified.
By incorporating context and additional data feeds, including social media trend analysis on exploits, organizations can move beyond information overload and advance a risk-driven approach to vulnerability remediation.
Instead, NopSec has set out to devise a risk scoring methodology more representative of the current threat environment organizations face. The approach is built on a multidimensional model that integrates scanner results with external data feeds. Our Technical Risk Score re-weights CVSS attributes based on our research (weighing the factors correlated with attacks and data breaches more heavily) and incorporates additional data about public exploit availability, malware correlation, and social media feeds.
Additionally, NopSec’s risk score measures the “business risk” of a vulnerability by taking into account the context of the information asset a vulnerability affects. The goal of this report is to shed some light on the current threat landscape for organizations and assess the strengths.
About the 2016 State of Vulnerability Risk Management Report
When analyzing the current state of risk assessment management, NopSec identified 1,000,000 unique vulnerabilities found on our clients’ systems. For our purposes, we define a unique vulnerability as a unique combination of client, vulnerability ID, asset, and port affected. We use this definition because a vulnerability’s intrinsic attributes are only one part of risk—the context in which a vulnerability is present is often just as important.
We looked at companies in a wide variety of industries and separated them into five categories: Financial, Healthcare, Insurance, Technology, and Other.
While these reports don’t represent the definitive analysis of all possible threats these clients are facing, we believe that our research offers important insight into how companies in various industries address vulnerabilities, the universal weaknesses companies across the 2016 State of Vulnerability Risk Management 5 industries share, and factors that should be incorporated into a comprehensive threat detection and vulnerability remediation program.
Microsoft was again one of the top vendors by vulnerability count in every industry vertical due to its wide global deployment. However, application vulnerabilities such as Adobe, Mozilla, and VMWare were also significant in 2016.
Because the CVSS score is only based on the attributes of the vulnerability, and does not incorporate external information like public exploits, malware correlation, and social media feeds, remediation programs will continue to fall short as an effective foundation for prioritization.
Download the full 2016 State of Vulnerability Risk Management Report from NopSec to learn more about how risk assessment vulnerability changed in 2016.