This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
  • Contact
    • Editorial Guidelines
  • Advertise
Home » SPONSORED BY eSentire
Sponsored By
eSentire
Cyber Security NewsEnterprise ServicesCyberServices
Esentire-logo-300px
eSentire
eSentire, the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly evolving cyberattacks that technology alone cannot prevent. For more information, visit www.eSentire.com.

        

What are the Odds? How Vulnerable are You to the Latest Vulnerabilities?

cybersecurity-blog
July 1, 2019
Mark Sangster
KEYWORDS cyber risk mitigation / threat assessment / vulnerability management
Reprints
No Comments

Cybersecurity vulnerability management is a continuous race against time that is being compounded by the proliferation of new devices and applications within organizations.

Between 2015 and 2019, data from exploit-db reveals that the number of distinct products with reported vulnerabilities increased by 150 percent. Over this same period, the weaponization time for the creation of exploits to take advantage of these published vulnerabilities dropped from being several months to almost immediately. This drastic decrease in patching time has resulted in a situation where IT departments are faced with not having enough resources to identify and remediate critical vulnerabilities while having to continue to manage day-to-day business operations.

The Common Vulnerability Scoring System (CVSS) v3.0 used by the National Vulnerability Database (NVD) provides an open framework for communicating the potential impacts of IT vulnerabilities. It's a quantitative model that uses several metrics to generate a consistent numerical score that provides industries, organizations, and governments with a common understanding of how serious a vulnerability is. These numerical scores are then lumped into five tiers (none, low, medium, high, critical) which are intended to help organizations properly assess and prioritize their vulnerability management processes.

According to the Q1 2019 Quarterly Threat Report published by eSentire, on average, high and critical severity vulnerabilities (using CVSS v3.0) existed in about eight percent of externally facing assets across a sample from the more than 650 small and medium-sized enterprises that make up eSentire’s customer base.

The good news for organizations? Even with approximately eight percent of externally exposed endpoints being vulnerable, during this same period, eSentire observed only one successful exploitation of an externally facing asset, which was the exploitation of an outdated and unpatched Drupal web server.

 

High Priority External Vulnerabilities

 

The data from eSentire also shows that the insurance, technology and finance industries were observed to have the most exposed vulnerabilities. Despite these three industries being the most at risk of being exploited, the nature and diversity of vulnerabilities varied from industry to industry. For example, technology, finance, business services and healthcare all require a broad diversity of services running in their environments, making them vulnerable to exploitation through a large number of different vulnerabilities. In contrast, insurance companies tended to have less diversity in their technologies, which result in being susceptible to just a handful of exploits.

 

vulnerability weaponization time

 

An analysis of the average weaponization time--the time between the discovery of a vulnerability and the publishing of a related exploit--results in an exponentially decreasing curve, while confirmed exploitable vulnerabilities tend to grow. Further, there is a decline in the average measure when multiple exploits have been published for a single vulnerability, or a vulnerability is discovered which happens to already have an exploit for it.

Additionally, the number of individuals or organizations focused on vulnerability research has grown (likely motivated by monetary rewards via bug bounty programs). Therefore, while the diversity of available products has increased, so has the number of individuals and organizations focused on discovering and responsibly reporting vulnerabilities. While this suggests applications are better secured, the scrutiny from researchers occurs most often after a product is deployed. Thus, the discovery and remediation of vulnerabilities remain a core aspect of good risk management businesses.

While regular patching is the best way to lower a company’s exposure to the risk caused by vulnerabilities, organizations should also be aware of gaps that may not be addressed by regular patching policies. These gaps can occur when researchers become frustrated with vendor responsiveness and publish their research independently of the vendor. Gaps also can arise when serious vulnerabilities are identified in applications or products outside the normal patching scope. An example of this occurred in February 2019 with the popular freeware archive tool WinRAR when a vulnerability was disclosed along with proof of concept code with exploitation in the wild occurring just five days after publication.

Limiting or restricting unauthorized applications can significantly reduce this risk but may not be feasible due to overhead costs or employee resistance. For example, eSentire found WinRAR present on 40 percent of endpoint customers, suggesting strict application policies are not adopted across the board. Organizations can compensate for this by maintaining an inventory of installed applications or the ability to rapidly retrieve this information from endpoints as needed.

To learn more about the types of vulnerabilities that impacting mid-sized organizations and what strategies you can implement to protect your business, download the Q1 2019 Quarterly Threat Report from eSentire.


Mark Sangster is an industry security strategist and cybersecurity evangelist who researches, speaks and writes about cybersecurity as it relates to regulations, ethical obligations, data breach incident response and cyber risk management.

Subscribe to Security Magazine

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

eSentire

Tweets by traqpath

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

Mark Hargraves

Security Industry Mourns Passing of Mark Hargraves

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

360x184customcontent_1.23Everbridge

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing