SAN JOSE, Calif. — A new cybersecurity report is showing “the exploitability of entire organizations” in terms of software vulnerability.
With an average of 55 new software vulnerabilities published every day in 2021, IT teams “cannot fix all of the vulnerabilities across their infrastructures,” according to Cisco this month.
The findings are based on a report by Cisco’s Kenna Security, “Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability,” with research also conducted by the Cyentia Institute.
The report shows that prioritizing vulnerabilities to fix is more effective than increasing an organization’s capacity to patch them — but having both can achieve a 29 times reduction in an organization’s measured exploitability.
The team’s research confirms a recent Cybersecurity and Infrastructure Security Agency (CISA) directive that suggests it’s wiser to move away from prioritizing fixing of vulnerabilities based on CVSS scores and instead focus on high-risk vulnerabilities, according to Cisco.
Analysis shows that factors like exploit code and even Twitter mentions are “better signals than CVSS scores.”
See more: The Cybersecurity Market
Key findings
- Nearly all (95%) IT assets have at least one highly exploitable vulnerability
- Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS in minimizing exploitability
- Most (87%) organizations have open vulnerabilities in at least a quarter of their active assets, and 41% of them show vulnerabilities in three of every four assets
- A strong 62% majority of vulnerabilities have less than a 1% chance of exploitation. Only 5% of CVEs exceed 10% probability.
See more: Top 10 Cybersecurity Threats
Exploitability was determined using the open Exploit Prediction Scoring System (EPSS), a cross-industry effort, including Kenna Security and the Cyentia Institute, that is maintained by FIRST.org.
“Exploitations in the wild used to be the best indicator for which vulnerabilities security teams should prioritize,” said Ed Bellis, co-founder and CTO of Kenna Security.
“Now we can show the likelihood of a particular organization being exploited, which is what we’ve always wanted to do.”
See more: Top Cybersecurity Companies
Cybersecurity threats on the rise
The report is the latest in a string of cybersecurity reports conducted by various organizations, including companies in the market.
The reports show cyber threats grew significantly over the past year, across a variety of metrics, as well as internal cyber vulnerabilities.
For instance, Trend Micro reports a 47% increase in blocked cyber threats, and Thales says 83% of companies don’t encrypt all sensitive data in cloud.