It is a manufacturer’s dilemma. Yes, there is a vulnerability, but no it can’t be patched because the process needs to keep running.
Hopefully, the network controlling the process can keep running without incident until the next shutdown when patches can end up implemented.
The problem is more than one in four (27 percent) companies globally ended up breached as a result of unpatched vulnerabilities, a new report found.
On top of that, in Europe, the rate is even higher rate at 34 percent, according to the “2019 Managing Vulnerability Survey” commissioned by Tripwire Inc. and conducted by Dimensional Research in May with responses from 340 infosecurity professionals.
Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found 59 percent of global organizations are able to detect new hardware and software on their networks within minutes or hours.
However, this is a difficult manual effort for many. Almost half (47 percent) report less than half of their assets are discovered automatically, including 13 percent who don’t even use automatic discovery solutions.
“Finding vulnerabilities is just a part of an effective vulnerability management program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “It’s important for organizations to focus on building a program instead of deploying a tool. Vulnerability management has to include asset discovery, prioritization, and remediation workflows in order to be effective at reducing risk.”
In assessing the attack surface for vulnerabilities, 88 percent of security professionals said they run vulnerability scans, but the research found organizations address vulnerabilities with varying degrees of effectiveness. Compared with a past report, the use of authenticated scans has improved, with 63 percent saying they conduct authenticated scans as part of their vulnerability assessment. Despite this progress, more than one-third (39 percent) are still not scanning weekly – or more often – as recommended by industry standards.
“How you assess your environment for vulnerabilities is important if you want to effectively reduce your risk,” Erlin said. “If you are not doing authenticated vulnerability scans, or not using an agent, then you are only giving yourself a partial picture of the vulnerability risk in your environment. And if you’re not scanning for vulnerabilities frequently enough, you’re missing new vulnerabilities that have been discovered, and you may miss assets that tend to go on and off the network, like traveling laptops.”
The ability to reduce vulnerability risks varies among organizations. According to Tripwire’s report, 16 percent of U.S. organizations said they only conduct vulnerability scans to meet compliance or other requirements. This rate was higher for European organizations, at 21 percent.
“Meeting a regulation or compliance requirement does not necessarily mean you’ve effectively managed your security risk,” Erlin said. “Compliance requirements are most often about protecting someone other than your organization. That might be the consumer or credit card companies or another entity. Securing your business requires that you define an acceptable level of risk and manage to that target.”
Fifty percent of infosecurity professionals said they conduct vulnerability scans to reduce risk, but only have the bandwidth to focus on high-severity vulnerabilities. Nearly all respondents indicated constraints like people and processes (78 percent) and budget (65 percent prevent them from addressing all of the vulnerabilities they want to tackle.
Click here for more information on the Tripwire report.