Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2/16/2021
05:45 PM
50%
50%

Firms Patch Greater Number of Systems, but Still Slowly

Fewer systems have flaws; however, the time to remediate vulnerabilities stays flat, and many issues targeted by in-the-wild malware remain open to attack.

Companies have nearly halved the number of systems with vulnerabilities in the past year and had even greater success mitigating systems with a large number of security issues, according to data released by vulnerability management firm Edgescan.

In 2020, the company found that 43% of its clients' systems had at least one vulnerability, and 4% of systems had 10 or more security issues, a significant improvement from the 77% of systems that had at least one issue and the 15% of systems that had 10 or more issues in 2019. However, companies still had a significant number of systems with vulnerabilities — such as the Bluekeep and EternalBlue exploits — that exposed them to common ransomware attacks, according to the firm.

Related Content:

100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

The result is that although companies have improved their security, the improvements have been uneven, with the same issues continuing to plague most companies but to a lesser degree, says Eoin Keary, CEO and founder of Edgescan. 

"Not much has changed regarding how quick we are at mitigating risks," he says, adding that companies could speed their patching by "the integration of vulnerability issues, [or] tickets, into the general flow of software development, effectively treating vulnerabilities as bugs in software and tracking them as such. Development and cybersecurity working more closely together would be a good start to improve this."

The mean time to remediate (MTTR) has remained fairly steady, with high-risk vulnerabilities taking the longest to fix at 84 days, while critical-risk vulnerabilities are fixed at a faster cadence, about 51 days on average. The distribution seems to indicate that companies tend to patch the most critical vulnerabilities and the easiest-to-fix vulnerabilities — the low-risk vulnerabilities — the fastest. Low-risk vulnerabilities are typically patched in 47 days, according to the report.

The average time that companies take to patch vulnerabilities is similar across organizations of all sizes, with the smallest companies of 100 employees or fewer taking the longest, 73 days, and medium-sized companies of up to 1,000 employees taking the shortest time, 56 days. Larger companies take about two months to patch the average vulnerability.

"Organizations could significantly reduce the risk of falling victim to these common malware [variants] by implementing a more solid vulnerability and patch management program," Keary says.

Edgescan cross-referenced prominent malware attacks in the past year and correlated those attacks with the vulnerabilities found in thousands of assessments performed in 2020. While critical flaws only made up 7% to 12% of the vulnerabilities found during the year, more than half of flaws found in internal applications were either of critical or high severity. 

In addition, the company found that SQL injection vulnerabilities made up 52% of critical vulnerabilities, while cross-site scripting flaws made up 37% of high- and medium-severity vulnerabilities. Edgescan manually validated each vulnerability with qualified pen testers to ensure that there were no false positives. 

In total, 88% of the vulnerabilities found by the firm's scans had been disclosed in the last five years, suggesting that companies still continue to struggle to catch all known vulnerabilities in their environments.

"We still see high rates of known — [that is,] patchable — vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups," the company says in the report. "So yes, patching and maintenance is still a challenge, demonstrating that it is not trivial to patch production systems."

Encryption vulnerabilities tend to remain inside companies for the longest stretch. Four of the top five vulnerabilities found in externally facing assets were various Transport Layer Security (TLC) issues that were originally discovered between 2013 and 2016, according to the report. The same issues also accounted for three of the top five vulnerabilities in internally facing assets.

"We see this due to the fact than the implementation of TLS — and SSL previously — has fundamental security issues," Keary says. "For this reason, anyone using TLS or SSL [is] faced with the [same] problem, hence why it is so widespread."

Exposed ports continue to be a problem, with SSH, SMTP, and the Remote Desktop Protocol (RDP) the most commonly exposed. During the pandemic, Edgescan noticed that both the share of systems that exposed RDP and SSH ports had climbed by 40%, likely due to the increase in remote working. RDP accounted for 1.2% of a sampling of 1 million endpoints, while SSH could be accessed on 3.8% of systems.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue