Connect with us

Hi, what are you looking for?


Report: IT security teams struggle to mitigate vulnerabilities

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

Vulcan Cyber‘s latest research into vulnerability risk prioritization and mitigation programs found that IT security teams are struggling to transition from simple vulnerability identification to meaningful response and mitigation. Because of this, business leaders and IT management professionals are constrained in their ability to gain the important insights needed to effectively protect valuable business assets, rendering vulnerability management programs largely ineffective.

Risk without business context is irrelevant. The survey found that the majority of respondents tend to group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). This is concerning as risk prioritization based on infrastructure and application groupings without asset context is not meaningful. The inability to correlate vulnerability data with actual business risk leaves organizations exposed.

The vast majority of decision-makers reported using two or more of the following models to score and prioritize vulnerabilities: the common vulnerability scoring system (CVSS) at 71%, OWASP top 10 (59%), scanner reported severity (47%), CWE Top 25 (38%), or bespoke scoring models (22%). To deliver meaningful cyber risk management, a bespoke scoring model that accounts for several industry-standard scoring systems is ideal and most efficient.

Bar graph. Title: What data would you use to prioritize vulnerabilities identified by your business? 86% said vulnerability severity. 70% said threat intelligence. 59% said asset relevance. 41% said custom risk scoring. 1% said "Other."

The more control over risk scoring and prioritization a security team has, the more effective they can be in mitigating cyber risk. But there is no industry-wide framework for risk-based vulnerability management, which means cyber hygiene continues to fall short and vulnerabilities continue to generate risk.

Sensitive data exposure was ranked as the most common enterprise concern resulting from application vulnerabilities, as reported by 54% of respondents. This was followed by broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also indicated that the MS14-068 vulnerability, otherwise known as the Microsoft Kerberos unprivileged user accounts, was the most concerning vulnerability to their organizations. Interestingly, this vulnerability was called out over more high-profile vulnerabilities such as MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL, aka Heartbleed), and MS17-010 (EternalBlue).

Since this survey was conducted earlier this year, the Log4J or Log4shell vulnerability announced this week was not reflected in the report data. However, Vulcan Cyber is seeing how easy it is to exploit this vulnerability, with ransomware continuing to be a favorite playbook. This, yet again, underscores the importance of collaboration between business leaders and IT teams to effectively reduce cyber risk to their organizations through ongoing cyber hygiene efforts and well-executed vulnerability management programs.

Vulcan Cyber’s report is based on a survey of more than 200 enterprise IT and security executives conducted by Pulse.

Advertisement. Scroll to continue reading.

Read the full report by Vulcan Cyber.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Source link

Click to comment

Leave a Reply




Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12,...

Online Business Success

As global supply chains are hit by pandemic disruption, can resale step in to fill the gap? getty Many factors have converged this year...

Top Stories

Open-source blockchain platform Polkadot announced the launch of its first parachains (or parallelized chain) aimed at improving the interoperability between multiple blockchains. According to...

Loan And Finance

Zurich North America has announced the appointment of Andy Peterson as regional executive for its East Region, effective Jan 1. Peterson (pictured above) will...

Top Stories

A group of eight Bitcoin (BTC) enthusiasts launched a Kickstarter campaign to publish an educational book for America’s federal policymakers, to reduce their reliance...


Threat actors have revived an old and relatively inactive ransomware family known as TellYouThePass, deploying it in attacks against Windows and Linux devices targeting...

Online Business Success

By Deborah Sweeney What benefits can a returning employee bring to your business? getty Stories about the Great Resignation made headline news throughout 2021....

Top Stories

The Uniswap community has approved the governance proposal that sought deployment of Uniswap v3 contracts over the Polygon PoS Chain. The approval comes in...


You May Also Like

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...


In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...