NopSec Releases 2015 State of Vulnerability Risk Management Report Revealing the Continued Remediation Struggle and New Social Media Effect
NopSec, a provider of precision threat prediction and remediation solutions, today released a new report, “2015 State of Vulnerability Risk Management.” The report reveals key security vulnerability issues historically and by industry, analyzes cross-industry remediation developments and highlights the effect social media has on the risk associated with security vulnerabilities.
Conducted by the NopSec Labs research team, the report analyzed more than 65,000 vulnerabilities contained in the National Vulnerability Database over a 20-year period, as well as a subset of more than 21,000 of those vulnerabilities identified across customers in all industries. Analysis focused on the distribution of the Common Vulnerability Scoring System (CVSS) base score, access vector, and the platforms (CPE) where the vulnerabilities were found. In addition, the team assessed vulnerabilities by asset and average time to remediation by vertical and attack vector.
Top findings include:
- Apple is not immune – Microsoft and Apple dominate the vulnerability chart based on the two-decade analysis, with Linux operating systems trailing behind the two giants. In addition, Adobe, Apple, Microsoft, Mozilla and Oracle face the most severe vulnerabilities.
- Remediation challenges are creating major security risks – While rapid vulnerability detection is at an all-time high, it still takes the typical organization too long to address known security issues. The average time it takes to remediate a security vulnerability is 103 days. In fact, while cloud providers remediate fastest (50 days), followed closely by healthcare organizations (97 days), financial services companies and education organizations take a shocking 176 days to take corrective action. That means they are potentially exposing themselves to data breaches for almost six months. Even worse, nearly a third (32 percent) of security vulnerabilities take more than a year to fix in the financial industry.
- Cloud providers’ IT assets are most exposed to attack – The average number of security vulnerabilities per asset varies dramatically across industries, with cloud providers facing more than all other industries combined. Cloud providers average 18 vulnerabilities per asset; this is in stark contrast to the six vulnerabilities per asset in financial services and the number faced by the healthcare (three) and education (two) sectors. Despite the risk of exposure, cloud providers rank as the most progressive industry in terms of the remediation of known security issues – closing 90 percent of identified vulnerabilities in less than 30 days.
- No network is safe – Security vulnerabilities in applications are remediated nine times faster than network vulnerabilities. While application vulnerabilities are fixed within three weeks on average (20 days), network vulnerabilities are left unaddressed for a staggering 182 days.
- Socialization of risks clearly calls out top threats – The typical security vulnerability averages 115 social media mentions when there is a known malware exploit. However, that number skyrockets when an exploit earns a “critical” risk severity rating based on the NopSec technical risk score. Critical vulnerabilities average 748 social media mentions, whereas high risk and medium risk vulnerabilities as rarely discussed (89 and eight respectively).
“Organizations are still very vulnerable to exploitation. Although businesses have been alerted of the potential risks, system vulnerabilities and misconfigurations continue to be the root causes for costly security breaches,” noted Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs. “Detection is simply not enough in today’s threat landscape of sophisticated attacks; organizations need to focus on improving threat prioritization. Vulnerability remediation efforts need to move much faster than they are right now in order to close the window of opportunity for exploitation and win the race against hackers.”
Download the infographic to learn more.
NopSec provides precision threat prediction and remediation workflow solutions to help businesses protect their IT environments from security breaches. The company’s flagship product, Unified VRM, is based on a flexible SaaS architecture that provides intelligent context to vulnerability data, enabling security teams to visually forecast threat risk to dramatically reduce the turnaround time between identification and remediation of critical security vulnerabilities across infrastructure and applications. NopSec has been recognized as one of the 20 Most Promising Enterprise Security Companies of 2015 by CIO Review and named to CRN’s list of Emerging Security Vendors for three consecutive years. NopSec is based in New York, NY. For more information, please visit www.nopsec.com.