A recent analysis has shed light on the challenges faced by security teams in remediating vulnerabilities, as fatigue sets in due to the increasing number of publicly disclosed vulnerabilities. The study, conducted by S&P Global Ratings in collaboration with cyber risk analytics company Guidewire, highlighted the struggles of organizations in effectively addressing security flaws affecting their systems.
Lead cyber risk expert at S&P Global Ratings, Paul Alvarez, expressed concern over the slow remediation of highly targeted cyber vulnerabilities, which could potentially compromise computer systems. The analysis focused on vulnerability data from over 7,000 organizations in the financial and corporate sectors, collected through GuideWire’s scan of internet-facing computer systems in 2023.
The findings revealed that a significant number of organizations were either occasionally or infrequently remedying vulnerabilities within their attack surface – the computer systems connected to the internet with easier exploitability. Approximately 30% of organizations remediated these vulnerabilities occasionally, while over 40% were found to be patching them infrequently. This lack of timely remediation poses a serious risk to organizations, as cyber threats continue to evolve and grow in sophistication.
One of the key challenges identified in the analysis was the inadequacy of traditional prioritization methods based on the Common Vulnerability Scoring System (CVSS). The report suggested that the CVSS system may not account for all the necessary metrics required for accurate prioritization of vulnerabilities. In response, the report proposed considering the Exploit Prediction Security Score (EPSS) system, developed by the Forum of Incident Response and Security Teams (FIRST), which takes into consideration real-world threat data to assess the likelihood of exploitation.
The analysis also highlighted the role of the age of vulnerabilities in their exploitation, noting that older vulnerabilities are often targeted due to their higher likelihood of success. Shockingly, 28% of the detected vulnerabilities in the analysis originated from 2016, with some vulnerabilities dating back over 24 years. This persistent exploitation of aging vulnerabilities underscores the urgency for organizations to prioritize timely and effective vulnerability management practices.
Overall, the analysis pointed towards a pressing need for organizations to enhance their remediation efforts and prioritize vulnerability management to strengthen their overall security posture. As cyber threats continue to evolve and grow in complexity, organizations must remain vigilant in addressing vulnerabilities promptly to mitigate the risk of potential breaches and cyber attacks.