Twitter Mentions More Effective Than CVSS at Reducing Exploitability
Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.
Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.
It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.
Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.
To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.
Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.
“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.
“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”
Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.
“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.
More Stories
How to Avoid Romance Scams
It’s the romance scam story that plays out like a segment on a true crime show. It starts with a...
“Junk gun” ransomware: the cheap new threat to small businesses
A wave of cheap, crude, amateurish ransomware has been spotted on the dark web - and although it may not...
US Takes Down Illegal Cryptocurrency Mixing Service Samourai Wallet
The two founders of Samourai Wallet have been charged with money laundering and unlicensed money-transmitting offenses Read More
Hacker posts fake news story about Ukrainians trying to kill Slovak President
Czech news agency ČTK announced on Tuesday that a hacker had managed to break into its systems and published fake...
State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities
An advisory from Cisco Talos has highlighted a sophisticated cyber-espionage campaign targeting government networks globally Read More
How to Protect Your Smartphone from SIM Swapping
You consider yourself a responsible person when it comes to taking care of your physical possessions. You’ve never left your wallet in...