Companies exposed to unnecessary risk from missed patches, report finds

Dive Brief:

Three-quarters of common vulnerabilities and exposures (CVEs) are detected by fewer than one in 11,000 organizations, according to a Kenna Security report, in partnership with Cyentia Institute, which analyzed 473 CVEs published in 2019.
When patches are issued, 90% of vulnerabilities are detected by scanners in a live network environment. Only 4% of CVEs are caught by a scanner before a patch is available.
While 80% of the studied CVEs have available patches, organizations can miss updates. At best, one in three organizations detect 6% of CVEs, according to Kenna.

Dive Insight:

Vulnerabilities occur when flawed code is published and its exploitability remains undiscovered.

Forty percent of vulnerabilities began with a patch release, while another 40% were initiated with the CVE publication. Only 7% of CVEs "jumped right into exploitation in the wild," according to the report.

In January 2018 the Spectre and Meltdown hardware vulnerabilities sent industry into a tizzy when a vulnerability exposed modern processors made in the last two decades. The ability to exploit Spectre and Meltdown was somewhat limited as processor pipelines were too shallow to allow memory exploitation more than 10 years old.

By late 2019, researchers found an heir to Spectre and Meltdown, in another speculation-based vulnerability in an Intel product: RIDL. It wasn't a new vulnerability, but it moved focus back toward inventory management processes.

Vendors with high levels of adoptions, including Intel, have more exploitable territory to cover. As vendor services become more cloud-based, companies are navigating a minefield of software patches.

Microsoft has the lion's share of CVEs, making up 28% of Kenna's studied CVEs. Adobe accounted for 14%, followed by Cisco's 4% and Apple's 3%.

Updates go beyond the responsibility of IT and security. The IT organization manages the technology and the processes while the CISO folds in the people element. IT should be aware of every software installation in their organizations.

"In general, one of the biggest challenges that companies face in terms of securing their infrastructure is the development or IT team being scared of change," said Adrian Ludwig, CISO at Atlassian, in an interview with Cybersecurity Dive in October.

Updates and patches can mess with code, but attackers remain a step ahead in the CVE sequence, between vulnerability disclosure and remediation, according to the report. About two-thirds of exploit code is made available within a month of a patch being issued, according to the report. In the 15 months Kenna conducted its research, attackers had an advantage for 12 months when an exploit was released prior to a patch.

The security organization evaluates the severity of a vulnerability, and determines whether it merits a medium- or high-risk identification. But "what you really want to get to is: patch it, patch it, patch it. It's low? Patch it," said Ludwig.

At that point, organizations feel "comfortable" initiating change and fixing issues as quickly as possible. "You've gotten rid of the fear of that change being the problem, and recognize that the change is actually the advantage," he said.