Over the past six months, half of the companies surveyed had experienced a cyberattack that led to a service outage, unauthorized access, data breach, or other damage. The Skybox Security Vulnerability Management Survey 2012, conducted in conjunction with Osterman Research, polled more than 100 IT decision makers, including security managers and network and systems engineers involved in vulnerability management processes.
The survey found that 90% of companies have a vulnerability management program and consider vulnerability management a priority.
The survey identified a disconnect between the frequency and the breadth of vulnerability scanning and the amount that the respondents felt was needed. Around 40% of companies scan their internal networks once per month or less frequently, and critical DMZs are typically scanned once per week or less often. DMZs are subnetworks placed between the company’s private network and the public network.
“If you have a round-robin scanning approach where you are looking at a small portion of the infrastructure every other month, it is not going to be successful. Even if the scan gives you information you can use, that process will not lead you to reduce your risk level over time”, commented Michelle Johnson Cobb, vice president of worldwide marketing at Skybox Security.
“There are a lot of security gaps out there, and it is no wonder that organizations are challenged in trying to reduce the occurrence of data breaches and attacks”, Cobb told Infosecurity.
The survey also identified coverage of scans as a problem: 27% of large organizations reported scanning less than half of hosts in the DMZ per cycle, while 60% of medium-sized companies scan less than half of the DMZ hosts. Three-fourths of large organizations scan at least 50% of hosts in their DMZ, while only 39% of mid-size organizations scan at least 50% of hosts in their DMZ. Close to half of respondents said their organizations did not conduct vulnerability scanning as often or as in depth as they would like.
There were a number of reasons given for the poor scanning frequency and coverage. Fifty-seven percent of companies reported that traditional active scanning often disrupts network services and vital business applications, 33% reported that parts of the network are not scannable, and 29% said that they have difficulties gaining the system credentials required in order to conduct scans.
“Organizations are realizing that things are reaching a breaking point”, Cobb said. “They have to find ways to get updated information faster, to use new technologies and ways to put together multiple sources of data, and to automate those processes”, she added.