Financial sector takes up to 176 days to patch security flaws

We might be better at detecting threats, but in two decades we have yet prove we can fix security flaws in a reasonable time.
Written by Charlie Osborne, Contributing Writer

The financial industry takes an average of 176 days to patch security problems, a new analysis of reported vulnerabilities reveals.

Cybersecurity threat prediction and remediation firm NopSec has released an analysis of over 65,000 security vulnerabilities recorded across two decades. The report, titled "2015 State of Vulnerability Risk Management," reveals that key security issues and known vulnerabilities are being overlooked by the enterprise -- and it takes far too long to patch problems as they surface.

The report analyzed over 65,000 vulnerabilities logged within the National Vulnerability Database, a US government repository of standards-based vulnerability management data which includes security related software flaws, misconfigurations, product names, and impact metrics.

By analyzing this data across a 20-year period, NopSec was able to determine how long on average has taken players in different industries to recognize and patch problems, ranging from the finance sector to education.

The research focused on vulnerability records within the Common Vulnerability Scoring System (CVSS) base score database, access vectors and the platforms (CPE) where the vulnerabilities were found.

The two-decade analysis revealed that Microsoft, unsurprisingly, dominates in the volume of reported and known vulnerabilities associated with the firm's products. The Redmond giant is the top vendor in every industry due to the vast global deployment of Windows products, however corporate applications such as Oracle, Sun Java, and Adobe readers dominate as the most vulnerable applications used within the enterprise.


Across the healthcare, education and cloud technology sectors, open-source technologies are among the most vulnerable platforms.


NopSec says vulnerability detection is at an "all-time high," however, it still takes the average organization far too long to address known security issues. On average, a company takes 103 days to remedy a security problem. The analysis suggests cloud providers remediate security issues fastest -- taking an average of 50 days -- followed by healthcare providers at 97 days.

However, financial services, banking and education take up to 176 days on average to correct security problems. According to NopSec, nearly a third of financial companies perform shockingly in resolving vulnerabilities within their networks -- with nearly a third taking up to a year to fix a security flaw.


IThe analysis also suggests cloud providers face more vulnerabilities per asset than all other industries combined, with an average of 18 flaws per asset -- in comparison to only six in financial services, three in healthcare and two in education.

"Despite the risk of exposure, cloud providers rank as the most progressive industry in terms of the remediation of known security issues -- closing 90 percent of identified vulnerabilities in less than 30 days," the report states.

In addition, security vulnerabilities in applications are remediated nine times faster than network vulnerabilities. On average, application vulnerabilities are fixed within three weeks of exposure, while network flaws are often left unaddressed for up to 182 days. This is only accounting for open-ticket workflows, and so based upon the time from scan to report, this could add days, weeks or months to fixing vulnerabilities.


Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs commented:

"Organizations are still very vulnerable to exploitation. Although businesses have been alerted of the potential risks, system vulnerabilities and misconfigurations continue to be the root causes for costly security breaches. Detection is simply not enough in today's threat landscape of sophisticated attacks; organizations need to focus on improving threat prioritization.

Vulnerability remediation efforts need to move much faster than they are right now in order to close the window of opportunity for exploitation and win the race against hackers."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards