one pilot project identified over 700 trending vulnerabilities

Company Positive Technologies introduced the results of the analysis of pilot projects for the implementation of MaxPatrol VM, conducted in government agencies, financial institutions, industrial and other companies from the beginning of 2022 to February 2023.

In the course of the study, more than 700 trending vulnerabilities were identified on average in one pilot project. The results of the implementation showed that most organizations make mistakes in prioritizing assets, there is no regular update of data on them, and overdue vulnerabilities occur in a third of companies.

One of the main problems identified during the pilot projects is the insufficient classification of assets, that is, their separation according to the level of significance for the organization participating in the project. 80% of projects had assets whose importance was not defined, which increases the risk of leaving important systems without proper protection. Positive Technologies experts recommend starting the vulnerability management process with the assessment and classification of assets in order to highlight the most significant of them and ensure their priority protection.

According to company analysts, about a quarter of companies have built a process for prioritizing identified vulnerabilities without taking into account the importance of the assets on which they were discovered. In addition, experts say that 76% of projects did not take into account the severity level of a vulnerability when formulating remediation policies, and 59% did not consider the presence of a public exploit.

“We advise you to pay attention, among other things, to the popularity of the vulnerability among attackers — its trendiness. Often, recently published vulnerabilities for which security updates have not yet been released are gaining popularity. However, vulnerabilities from previous years can also be trending — according to our data, they continue to be relevant and are actively used by attackers. Such vulnerabilities should be addressed first, as attackers often use them in attack chains, and for many of them there is a public exploit,” experts recommend.

During pilot projects, trending vulnerabilities were found in 36% of high value assets, with an average of four vulnerabilities per asset. Most often they were found in Windows components and other Microsoft products.

Another problem identified was the outdated information on assets. In 75% of companies, asset data was not updated on time – because of this, scans were skipped and some vulnerabilities were not detected. Positive Technologies recommends that you conduct asset inventories on a regular basis to keep information up to date and ensure timely detection and remediation of vulnerabilities.

According to a study by Positive Technologies, most companies make mistakes in prioritizing vulnerabilities, that is, they do not take into account the significance of assets and the severity level of vulnerabilities when formulating remediation policies. This can lead to missing the most critical infrastructure vulnerabilities.

In all the organizations studied, the minimum time for fixing vulnerabilities turned out to be longer than the time after which attackers begin to use vulnerabilities in attacks. Experts recommend setting minimum deadlines for fixing vulnerabilities on high-value assets, especially when trending and critical vulnerabilities are discovered.

Based on the results of the pilot projects, serious problems were also identified related to the untimely elimination of deficiencies in information systems. One in three companies violated a vulnerability mitigation policy, with about 30% of high value assets containing an average of seven overdue trend vulnerabilities. According to experts, non-compliance by information security specialists with the deadlines makes it easier for attackers. Companies need to allocate resources for the timely elimination of vulnerabilities, make this process regular and controlled.