Zero-days and exploits make for flashy news, but there is some good news in the realm of software flaws: most of them can be categorized as “minor.”
The College of Information Sciences and Technology at Penn State and Tripwire crunched the numbers for the top 25% of vulnerability management contributors, scanning their networks nearly continuously, and determined that they had an average aggregate host risk score of 2.14 using the Common Vulnerability Scoring System (CVSS).
CVSS is an industry standard that measures the severity of vulnerabilities and prioritizes remediation efforts. CVSS scores range from zero to 10; vulnerabilities with a base score in the range of 7 to 10 are critical; 4 to 6.9 are major; and 0 to 3.9 are minor. The 2.14 benchmark certainly falls into the "positive" column – for every Heartbleed, there are dozens of less impacting issues.
“Average aggregate host risk score and average days since last scan are excellent indicators of vulnerability management performance because they tend to move in the same direction,” said Rod Murchison, vice president of product management at Tripwire, in a statement. The security firm donated its Benchmark service to the Center for Cyber Security, Information Privacy and Trust at Penn State’s College of Information Sciences and Technology in April. The school then created Penn State’s Benchmark, a free, cloud-based cybersecurity analytics service from the university.“Together, these scores indicate that companies that scan more frequently tend to have a more effective vulnerability remediation process, lowering their overall vulnerability risks scores.”
As a leading cybersecurity program performance management indicator, vulnerability management is referenced in every major security standard, including the Payment Card Industry Data Security Standard (PCI DSS), the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the 20 Critical Security Controls (20 CSC). Proactive management of vulnerabilities dramatically reduces the potential of successful cyberattacks and improves risk posture. Average host risk score, as well as average days since the last scan, are two key vulnerability management metrics derived from
“Benchmark is a great example of the type of tools we need to train the next generation of cybersecurity analysts, and that is precisely why we are integrating it into our undergraduate curriculum,” said David Hall, dean of the College of Information Sciences and Technology at Penn State. “Benchmark metrics help analysts take a qualitative approach to the capabilities of their cybersecurity infrastructure. Together, these metrics also make it possible for cybersecurity experts to evaluate the performance of their security controls at a higher level of abstraction.”