Businesses potentially face increased threat due to overlooked software updates, according to the findings of a recent report.
In the rapidly evolving digital landscape, understanding the state of cybersecurity vulnerabilities is crucial. A comprehensive analysis of CVEs published in 2019, conducted by Kenna Security in partnership with Cyentra Institute, sheds light on some key findings.
The year 2019 saw the continuation of the Spectre and Meltdown saga, with researchers discovering an heir to these hardware vulnerabilities in Intel's product called RIDL. However, it's worth noting that the ability to exploit these vulnerabilities was somewhat limited, as processor pipelines in older systems were too shallow to allow memory exploitation.
One of the striking findings from the report is the distribution of CVEs across various tech giants. Microsoft topped the list, accounting for 28% of the total CVEs, followed by Adobe (14%), Cisco (4%), and Apple (3%).
However, the distribution of CVE detection among organizations paints a different picture. Three-quarters of the CVEs were detected by fewer than one in 11,000 organizations, underscoring the need for improved cybersecurity measures.
The report also highlights the importance of timely patching. When patches are issued for CVEs, 90% of vulnerabilities are detected by scanners in a live network environment, while only 4% are caught by a scanner before a patch is available. This means that organizations can miss updates, with the best-performing organizations detecting only 6% of CVEs, according to Kenna.
Attackers often seize this opportunity, with exploit code being released within a month of a patch being issued, according to the report. In fact, only 7% of CVEs "jumped right into exploitation in the wild."
Adrian Ludwig, CISO at Atlassian, emphasizes the importance of addressing the fear of change among development or IT teams as one of the biggest challenges in securing infrastructure. He stresses the need for organizations to be comfortable with initiating changes and fixing issues quickly.
The report also underscores the responsibility for updates, which extends beyond IT and security. IT is tasked with managing technology and processes, while the CISO focuses on the people aspect. IT should be aware of every software installation in their organizations to ensure timely updates and patches.
The search results do not provide information about which vendor had the most CVEs in the 15-month period studied by Kenna. However, it's clear that vulnerabilities occur when flawed code is published and its exploitability remains undiscovered.
In conclusion, the report underscores the importance of timely patching and vigilant inventory management. The goal, as Ludwig puts it, is to "patch it, patch it, patch it," even if the vulnerability is labeled as low risk. By doing so, organizations can mitigate the advantage attackers often have when an exploit is released prior to a patch.
