Healthcare lags behind in critical vulnerability management, banks hold their ground

New research sheds light on which industries are performing well when it comes to patching high-risk bugs.

Working from home? How hackers expose vulnerabilities remotely

Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?

The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies -- including banks, industrial giants, and medical facilities -- can be far more lucrative for cybercriminals.

Stolen bank account data can be used to conduct fraudulent payments; information can be taken for the purposes of cyberespionage, and in the industrial sector, disrupting core operations can impact everything from energy supplies to water availability for customers. 

One of the common avenues for attacks against the enterprise is the exploitation of unpatched vulnerabilities, and so it is crucial for organizations to maintain frequent patch cycles that tackle the most high-risk security issues for their networks promptly. 

However, not every business -- and not in every industry -- perform patch management equally. According to new research from Kenna Security and the Cyentia Institute, there are significant gaps in how different markets deal with vulnerabilities, including high-risk security flaws. 

"Finance companies have a big target on their backs," the company says. "Tech companies have the skills to get the job done. Manufacturing firms are insulated from danger with lots of custom and rare applications that few hackers would bother to develop exploits for. And the healthcare industry? Well, the conventional wisdom says that it's crammed full of tech, but hacks aren't easy to monetize."

See also: SigRed: A 17-year-old 'wormable' vulnerability for hijacking Microsoft Windows Server

On Tuesday, the cybersecurity firm released a report into vulnerability management conducted by the financial, manufacturing, medical, and technological industries.

Manufacturing: Kenna Security says that industrial companies tend to take "twice as long" to fix bugs in comparison to other sectors, and also have double the number of vulnerabilities per asset -- such as printers, IoT devices, and PCs in use.

However, only 5% of bugs are deemed high-risk, and the industry may be further protected as few threat actors have developed exploit kits focused on this area. In total, 44% of manufacturing companies reduce their exposure to bugs that can be weaponized every month, but 39% "end each month with more high-risk vulnerabilities than they started with." In total, 17% are reported as "breaking even."

Technology: Given their nature, tech companies tend to have fewer vulnerabilities per asset than other industries, and patch management is generally conducted more quickly. 

According to the research, a typical company will close approximately 25% of newly-disclosed vulnerabilities within 19 days. In comparison, a technology firm will close 25% in seven days; 50% in 17 days; and 75% in 67 days. 

screenshot-2020-09-22-at-17-13-53.png

High-risk vulnerabilities, too, are tackled rapidly. In total, tech firms will close roughly 90% of them per month, whilst 80% of organizations will either hold their ground or reduce their security 'debt' each month. 

Healthcare: When cyberattacks disrupt healthcare providers, the consequences can be fatal -- as we saw in the recent death of a patient at a German hospital. As a result, the medical industry is often subject to attacks including ransomware as threat actors bet they will pay up rather than put lives at risk. 

CNET: Trump administration reportedly looking at Tencent's investments after scrutinizing TikTok

To deploy such malware, phishing or the weaponization of vulnerabilities are common attack vectors. 

The report says that a typical healthcare organization has roughly 34 bugs per asset and 50% of common bugs take 50 days to patch, causing a "lag" in comparison to other sectors. 

screenshot-2020-09-22-at-12-21-44.png

However, many healthcare providers do gain ground when it comes to critical issues, with 67% of overall companies reducing their high-risk exposure every month. In total, 25% fall behind. 

Finance: There will always be cybercriminals that target financial companies as many are motivated by money, and if they can obtain access to corporate networks or customer data, they may be able to earn themselves an illicit fortune. 

TechRepublic: Mozilla's VPN service works across mobile and desktop platforms

It should not be a surprise, then, that financial companies tend to deal with half of newly-disclosed vulnerabilities within 44 days -- in comparison to an average of 34 days across other industries -- an achievement when you consider they often have four times the number of vulnerabilities than others when it comes to assets. 

screenshot-2020-09-22-at-12-38-04.png

"Financial firms traditionally have a large digital footprint incorporating numerous software and services and that translates to more vulnerabilities," Kenna Security notes. "More assets inherently means more strife for vulnerability management programs."

Perhaps more importantly, financial organizations hold their own when it comes to critical bugs. Every month, 85% of the most dangerous vulnerabilities are closed, and 70% either break even or resolve additional security flaws. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0