Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

05:45 PM

Firms Patch Greater Number of Systems, but Still Slowly

Fewer systems have flaws; however, the time to remediate vulnerabilities stays flat, and many issues targeted by in-the-wild malware remain open to attack.

Companies have nearly halved the number of systems with vulnerabilities in the past year and had even greater success mitigating systems with a large number of security issues, according to data released by vulnerability management firm Edgescan.

In 2020, the company found that 43% of its clients' systems had at least one vulnerability, and 4% of systems had 10 or more security issues, a significant improvement from the 77% of systems that had at least one issue and the 15% of systems that had 10 or more issues in 2019. However, companies still had a significant number of systems with vulnerabilities — such as the Bluekeep and EternalBlue exploits — that exposed them to common ransomware attacks, according to the firm.

Related Content:

100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020

Special Report: Understanding Your Cyber Attackers

New From The Edge: Fighting Fileless Malware, Part 3: Mitigations

The result is that although companies have improved their security, the improvements have been uneven, with the same issues continuing to plague most companies but to a lesser degree, says Eoin Keary, CEO and founder of Edgescan. 

"Not much has changed regarding how quick we are at mitigating risks," he says, adding that companies could speed their patching by "the integration of vulnerability issues, [or] tickets, into the general flow of software development, effectively treating vulnerabilities as bugs in software and tracking them as such. Development and cybersecurity working more closely together would be a good start to improve this."

The mean time to remediate (MTTR) has remained fairly steady, with high-risk vulnerabilities taking the longest to fix at 84 days, while critical-risk vulnerabilities are fixed at a faster cadence, about 51 days on average. The distribution seems to indicate that companies tend to patch the most critical vulnerabilities and the easiest-to-fix vulnerabilities — the low-risk vulnerabilities — the fastest. Low-risk vulnerabilities are typically patched in 47 days, according to the report.

The average time that companies take to patch vulnerabilities is similar across organizations of all sizes, with the smallest companies of 100 employees or fewer taking the longest, 73 days, and medium-sized companies of up to 1,000 employees taking the shortest time, 56 days. Larger companies take about two months to patch the average vulnerability.

"Organizations could significantly reduce the risk of falling victim to these common malware [variants] by implementing a more solid vulnerability and patch management program," Keary says.

Edgescan cross-referenced prominent malware attacks in the past year and correlated those attacks with the vulnerabilities found in thousands of assessments performed in 2020. While critical flaws only made up 7% to 12% of the vulnerabilities found during the year, more than half of flaws found in internal applications were either of critical or high severity. 

In addition, the company found that SQL injection vulnerabilities made up 52% of critical vulnerabilities, while cross-site scripting flaws made up 37% of high- and medium-severity vulnerabilities. Edgescan manually validated each vulnerability with qualified pen testers to ensure that there were no false positives. 

In total, 88% of the vulnerabilities found by the firm's scans had been disclosed in the last five years, suggesting that companies still continue to struggle to catch all known vulnerabilities in their environments.

"We still see high rates of known — [that is,] patchable — vulnerabilities which have working exploits in the wild, used by known nation state and cybercriminal groups," the company says in the report. "So yes, patching and maintenance is still a challenge, demonstrating that it is not trivial to patch production systems."

Encryption vulnerabilities tend to remain inside companies for the longest stretch. Four of the top five vulnerabilities found in externally facing assets were various Transport Layer Security (TLC) issues that were originally discovered between 2013 and 2016, according to the report. The same issues also accounted for three of the top five vulnerabilities in internally facing assets.

"We see this due to the fact than the implementation of TLS — and SSL previously — has fundamental security issues," Keary says. "For this reason, anyone using TLS or SSL [is] faced with the [same] problem, hence why it is so widespread."

Exposed ports continue to be a problem, with SSH, SMTP, and the Remote Desktop Protocol (RDP) the most commonly exposed. During the pandemic, Edgescan noticed that both the share of systems that exposed RDP and SSH ports had climbed by 40%, likely due to the increase in remote working. RDP accounted for 1.2% of a sampling of 1 million endpoints, while SSH could be accessed on 3.8% of systems.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
PUBLISHED: 2021-04-14
Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.