Hear from CIOs, CTOs, and different C-level and senior execs on knowledge and AI methods on the Way forward for Work Summit this January 12, 2022. Study extra
Vulcan Cyber‘s newest analysis into vulnerability threat prioritization and mitigation packages discovered that IT safety groups are struggling to transition from easy vulnerability identification to significant response and mitigation. Due to this, enterprise leaders and IT administration professionals are constrained of their skill to realize the essential insights wanted to successfully defend worthwhile enterprise belongings, rendering vulnerability administration packages largely ineffective.
Threat with out enterprise context is irrelevant. The survey discovered that almost all of respondents are likely to group vulnerabilities by infrastructure (64%), adopted by enterprise perform (53%) and software (53%). That is regarding as threat prioritization primarily based on infrastructure and software groupings with out asset context shouldn’t be significant. The lack to correlate vulnerability knowledge with precise enterprise threat leaves organizations uncovered.
The overwhelming majority of decision-makers reported utilizing two or extra of the next fashions to attain and prioritize vulnerabilities: the frequent vulnerability scoring system (CVSS) at 71%, OWASP prime 10 (59%), scanner reported severity (47%), CWE Prime 25 (38%), or bespoke scoring fashions (22%). To ship significant cyber threat administration, a bespoke scoring mannequin that accounts for a number of industry-standard scoring methods is good and most effective.
The extra management over threat scoring and prioritization a safety staff has, the simpler they are often in mitigating cyber threat. However there isn’t any industry-wide framework for risk-based vulnerability administration, which suggests cyber hygiene continues to fall brief and vulnerabilities proceed to generate threat.
Delicate knowledge publicity was ranked as the most typical enterprise concern ensuing from software vulnerabilities, as reported by 54% of respondents. This was adopted by damaged authentication (44%), safety misconfigurations (39%), inadequate logging and monitoring (35%), and injection (32%). Respondents additionally indicated that the MS14-068 vulnerability, in any other case often called the Microsoft Kerberos unprivileged consumer accounts, was probably the most regarding vulnerability to their organizations. Apparently, this vulnerability was known as out over extra high-profile vulnerabilities akin to MS08-067 (Home windows SMB, aka Conficker, Downadup, Kido, and so on.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL, aka Heartbleed), and MS17-010 (EternalBlue).
Since this survey was performed earlier this yr, the Log4J or Log4shell vulnerability introduced this week was not mirrored within the report knowledge. Nonetheless, Vulcan Cyber is seeing how simple it’s to take advantage of this vulnerability, with ransomware persevering with to be a favourite playbook. This, but once more, underscores the significance of collaboration between enterprise leaders and IT groups to successfully scale back cyber threat to their organizations by way of ongoing cyber hygiene efforts and well-executed vulnerability administration packages.
Vulcan Cyber’s report is predicated on a survey of greater than 200 enterprise IT and safety executives performed by Pulse.
Learn the full report by Vulcan Cyber.