Brian Jackson - Fotolia

Too many high-risk vulnerabilities leave CISOs scrabbling to patch

Too many critical flaws are given high priority, leading to a patch overload that CISOs cannot keep up with, according to F-Secure

IT security company F-Secure has warned that there is too much hype surrounding zero-day vulnerabilities.

In its State of Cyber Security 2017 report, the anti-virus security company noted: “The website, CVEDetails.com, shows an average vulnerability score of 6.8 across all known vulnerabilities and on all known platforms.”

Of the more than 80,000 known vulnerabilities in the CVE database, 12,000 (around 15%) of them are classified as high-severity, said F-Secure.

F-Secure said high-severity vulnerabilities are generally considered the top priority. “They get handled in well-run organisations. High-severity vulnerabilities get a lot of visibility and, because of this, they’re patched on the spot.

“Your CISO is probably more worried about phishing and upstream attacks than internal network misconfigurations and unpatched internal systems. As an IT admin, taking care of infrastructure is your biggest concern.”

As such, applying every patch to every piece of software on every system on the corporate network, as the patch is released, is just not feasible. F-secure said admins rely on periodic patch cycles to fix low severity vulnerabilities, if they patch at all.

“Taking time out of their day to understand the implications of every newfound vulnerability out there is too much ask for most IT admins,” the report noted. 

“In many cases, they simply don’t bother,” it said, adding that the challenge for CISOs is prioritising what to patch first.

The company said most users are ill-prepared for a world where information on the internet is never forgotten.

The report stated: “People say they understand the internet, and maybe in a technical sense they do. But most users are in the dark when it comes to grasping the significance of technologies that log and track everything.

“Very few people fully comprehend the fact that their data isn’t going to disappear, so defenders need to protect it. That protection cannot depend completely on the idea that security plans – no matter how good they are – are foolproof.”

Read more on Data breach incident management and recovery