Firms Patch Greater Number of Systems, but Still Slowly
Fewer systems have flaws; however, the time to remediate vulnerabilities stays flat, and many issues targeted by in-the-wild malware remain open to attack.
Companies have nearly halved the number of systems with vulnerabilities in the past year and had even greater success mitigating systems with a large number of security issues, according to data released by vulnerability management firm Edgescan.
In 2020, the company found that 43% of its clients’ systems had at least one vulnerability, and 4% of systems had 10 or more security issues, a significant improvement from the 77% of systems that had at least one issue and the 15% of systems that had 10 or more issues in 2019. However, companies still had a significant number of systems with vulnerabilities — such as the Bluekeep and EternalBlue exploits — that exposed them to common ransomware attacks, according to the firm.
The result is that although companies have improved their security, the improvements have been uneven, with the same issues continuing to plague most companies but to a lesser degree, says Eoin Keary, CEO and founder of Edgescan.
“Not much has changed regarding how quick we are at mitigating risks,” he says, adding that companies could speed their patching by “the integration of vulnerability issues, [or] tickets, into the general flow of software development, effectively treating vulnerabilities as bugs in software and tracking them as such. Development and cybersecurity working more closely together would be a good start to improve this.”
The mean time to remediate (MTTR) has remained fairly steady, with high-risk vulnerabilities taking the longest to fix at 84 days, while critical-risk vulnerabilities are fixed at a faster cadence, about 51 days on average. The distribution seems to indicate that companies tend to patch the most critical vulnerabilities and the easiest-to-fix vulnerabilities — the low-risk vulnerabilities — the fastest. Low-risk vulnerabilities are typically patched in 47 days, according to the report.
The average time that companies take to patch vulnerabilities is similar across organizations of all sizes, with the smallest companies of 100 employees or fewer taking the longest, 73 days, and medium-sized companies of up to 1,000 employees taking the shortest time, 56 days. Larger companies take about two months to patch the average vulnerability.
“Organizations could significantly reduce the risk of falling victim to these common malware [variants] by implementing a more solid vulnerability and patch management program,” Keary says.
Edgescan cross-referenced prominent malware attacks in the past year and correlated those attacks with the vulnerabilities found in thousands of assessments performed in 2020. While critical flaws only made up 7% to 12% of the vulnerabilities found during the year, more than half of flaws found in internal applications were either of critical or high severity.
In addition, the company found that SQL injection vulnerabilities made up 52% of critical vulnerabilities, while cross-site scripting flaws made up 37% of high- and medium-severity vulnerabilities. Edgescan manually validated each vulnerability with qualified pen testers to ensure that there were no false positives.
In total, 88% of the vulnerabilities found by the firm’s scans had been disclosed in the last five years, suggesting that companies still continue to struggle to catch all known vulnerabilities in their environments.
“We still see high rates of known — [that is,] patchable — vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups,” the company says in the report. “So yes, patching and maintenance is still a challenge, demonstrating that it is not trivial to patch production systems.”
Encryption vulnerabilities tend to remain inside companies for the longest stretch. Four of the top five vulnerabilities found in externally facing assets were various Transport Layer Security (TLC) issues that were originally discovered between 2013 and 2016, according to the report. The same issues also accounted for three of the top five vulnerabilities in internally facing assets.
“We see this due to the fact than the implementation of TLS — and SSL previously — has fundamental security issues,” Keary says. “For this reason, anyone using TLS or SSL [is] faced with the [same] problem, hence why it is so widespread.”
Exposed ports continue to be a problem, with SSH, SMTP, and the Remote Desktop Protocol (RDP) the most commonly exposed. During the pandemic, Edgescan noticed that both the share of systems that exposed RDP and SSH ports had climbed by 40%, likely due to the increase in remote working. RDP accounted for 1.2% of a sampling of 1 million endpoints, while SSH could be accessed on 3.8% of systems.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio