Vulnerability remediation is taking a severe hit as security teams are faced with fatigue from a growing number of publicly disclosed vulnerabilities.
According to an analysis by S&P Global Ratings, a joint division of S&P Global and the cyber risk analytics company Guidewire, almost three-quarters of organizations are either occasionally or infrequently remediating the vulnerabilities affecting their systems.
“Our analysis suggests that some organizations that we rate may be slow to remediate highly targeted cyber vulnerabilities, increasing the risk that computer systems could be compromised,” said Paul Alvarez, lead cyber risk expert at S&P Global Ratings.
The analysis, which used GuideWire’s scan of internet-facing computer systems in 2023, considered vulnerability data for over 7,000 organizations in the financial and corporate sectors.
Remediation is slow
The analysis that observed 2023 vulnerability scans for systems within the “attack surface,” which refers to the computer systems that are connected to the internet and have easier exploitability, found that 30% of organizations remediated these vulnerabilities “occasionally.”
More than 40% of organizations were found performing “infrequent” patching, indicating seven out of every ten organizations were guilty of poor patching of flaws that posed the maximum risks.
The increasing frequency of discovered vulnerabilities makes it difficult to determine what to fix, according to the report. Traditional Common Vulnerability Scoring System (CVSS)-based prioritization may also worsen security by contributing to delayed remediation.
Prioritization may have been inadequate all along
The CVSS system provides a standardized way of categorizing the vulnerabilities which takes into account factors like how it can be exploited, the difficulty of the exploit, privilege needed, user interaction required, and the degree of the impact of the exploit.
This system could be missing some additional metrics that could be valuable for more accurate prioritization. The report offers to consider the Exploit Prediction Security Score (EPSS) system, created by a group of incident responders and security experts called the Forum of Incident Response and Security Teams (FIRST).
“EPSS collects as much vulnerability information as possible, along with the evidence of vulnerabilities being exploited,” Alvarez explained. “This includes (but is not limited to) information about the vulnerabilities themselves, availability of exploit code, mentions of the vulnerabilities on social media, and data from offensive security tools and scanners.”
EPSS works on a model trained to analyze all the collected information and generate probabilities for exploitation, he added.
Vulnerabilities observed in the analysis averaged a CVSS score of 4.87 out of 10 when landing at a 0.33 (on a scale of 0 to 1) EPSS average. While this might make the EPSS system look a little less forgiving, Alvarez has a different explanation.
“Since the CVSS and EPSS scores look at vulnerabilities differently, it is not an apples-to-apples comparison,” he said. “The CVSS scores do not take into consideration real-world threat data. Therefore, a vulnerability may have a high CVSS score but a lower EPSS score. That is why both scores should be taken into consideration when trying to prioritize vulnerability remediation.”
Age of the vulnerability plays a role
Older vulnerabilities find repeat exploits because of their likelihood of success, according to the report.
The analysis, hence, revealed a significant threat, with 28% of the detected vulnerabilities originating from 2016, seven years ago. Nearly 75% of these vulnerabilities were publicly disclosed seven or more years ago, with the oldest dating back over 24 years.
This persistent exploitation of aging vulnerabilities underscores the critical need for timely and effective vulnerability management. Poor remediation, as revealed in the analysis, may also signal broader weaknesses in overall management and governance, the report added.
