Twitter Mentions More Effective Than CVSS at Reducing Exploitability
Monitoring Twitter mentions of vulnerabilities may be twice as effective as CVSS scores at helping organizations prioritize which bugs to patch first, according to new research.
Kenna Security’s latest report, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability, was compiled with help from the Cyentia Institute.
It confirmed what many security experts have been saying for some time: the sheer volume of CVEs discovered today means organizations must get better at prioritizing which vulnerabilities to fix.
Although an average of 55 bugs were discovered every day in 2021, the good news is that only 4% posed a high risk to organizations, according to the research. It went further, claiming that 62% of the vulnerabilities studied had a less than a 1% chance of exploitation, while only 5% exceeded a 10% probability.
To arrive at its findings, Kenna Security used an industry-devised Exploit Prediction Scoring System (EPSS), which uses CVE information and real-world exploit data to predict “whether and when” vulnerabilities will be exploited in the wild.
Not all vulnerability management strategies are created equal, argued Kenna Security co-founder and CTO, Ed Bellis.
“Prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about two times better),” he wrote.
“We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity … but doing both can achieve a 29-times reduction in exploitability.”
Bellis concluded that prioritizing bugs via exploitability rather than technical CVSS scores is “the strategy of the future” and one that US government security experts appear to be taking.
“The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees,” he argued.
More Stories
Former RAC Employees Get Suspended Sentence for Data Theft
Two former RAC employees have been handed suspended prison sentences for trading in personal data Read More
Over 240 Million US Breach Victims Recorded in Q3
Supply chain victim numbers surge as more than 240 million US residents are impacted by data breaches in Q3 2024...
Smashing Security podcast #388: Vacuum cleaner voyeur, and pepperoni pact blocks payout
Join us as we delve into the world of unexpected security breaches and legal loopholes, where your robot vacuum cleaner...
Lamborghini Carjackers Lured by $243M Cyberheist
The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August...
Apple’s iPhone Mirroring Flaw Exposes Employee Privacy Risks
The privacy flaw in Apple’s iPhone mirroring feature enables personal apps on an iPhone to be listed in a company’s...
New BeaverTail Malware Targets Job Seekers via Fake Recruiters
New BeaverTail malware targets tech job seekers via fake recruiters on LinkedIn and X Read More