Report: IT security groups wrestle to mitigate vulnerabilities

Vulcan Cyber‘s most up-to-date research into vulnerability threat prioritization and mitigation programs stumbled on that IT security groups are struggling to transition from easy vulnerability identification to meaningful response and mitigation. Thanks to this, alternate leaders and IT management mavens are constrained in their capability to compose the most well-known insights desired to successfully offer protection to precious alternate sources, rendering vulnerability management programs largely ineffective.

Menace without alternate context is beside the point. The look stumbled on that most of respondents have a tendency to community vulnerabilities by infrastructure (64%), adopted by alternate plan (53%) and application (53%). This is pertaining to as threat prioritization primarily primarily based on infrastructure and application groupings without asset context is now no longer meaningful. The shortcoming to correlate vulnerability info with precise alternate threat leaves organizations exposed.

The massive majority of decision-makers reported the exhaust of two or more of the next objects to ranking and prioritize vulnerabilities: the basic vulnerability scoring gadget (CVSS) at 71%, OWASP high 10 (59%), scanner reported severity (47%), CWE High 25 (38%), or bespoke scoring objects (22%). To ship meaningful cyber threat management, a bespoke scoring model that accounts for several industry-ordinary scoring systems is splendid and most setting friendly.

The more management over threat scoring and prioritization a security crew has, the more purposeful they would perchance maybe additionally be in mitigating cyber threat. But there is never one of these thing as a industry-huge framework for threat-primarily primarily based vulnerability management, meaning cyber hygiene continues to tumble short and vulnerabilities proceed to generate threat.

Sensitive info publicity was ranked as the most current endeavor space attributable to application vulnerabilities, as reported by 54% of respondents. This was adopted by damaged authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also indicated that the MS14-068 vulnerability, in any other case identified as the Microsoft Kerberos unprivileged user accounts, was the most pertaining to vulnerability to their organizations. Curiously, this vulnerability was called out over more excessive-profile vulnerabilities comparable to MS08-067 (Home windows SMB, aka Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL, aka Heartbleed), and MS17-010 (EternalBlue).

Since this look was performed earlier this yr, the Log4J or Log4shell vulnerability introduced this week was now no longer mirrored in the account info. On the opposite hand, Vulcan Cyber is seeing how easy it’s to exhaust this vulnerability, with ransomware continuing to be a accepted playbook. This, all yet again, underscores the importance of collaboration between alternate leaders and IT groups to successfully minimize cyber threat to their organizations thru ongoing cyber hygiene efforts and successfully-accomplished vulnerability management programs.

Vulcan Cyber’s account is primarily primarily based on a look of more than 200 endeavor IT and security executives performed by Pulse.

Learn the fat account by Vulcan Cyber.