This past November, the European Union Agency for Cybersecurity (ENISA) released its NIS Investments Report 2023, a rundown of how critical EU operators have been investing in cybersecurity pursuant to the NIS Directive. It not only covers how dollars have been spent, but suggest how they ought to be going forward.
One particular point of emphasis? Vulnerability management.
Vulnerability Management Timelines
The report noted the time it takes for certain EU operators to perform basic vulnerability management tasks. Over half (51%) of all organizations in the transport sector take at least a month to patch critical CVEs, while 21% need between one and six months. As of yet, only 28% can fix “critical vulnerabilities on critical assets” within a week.
However, Mieng Lim, VP of Product Management at Fortra, notes that these face-value figures may not tell all. She notes, “Resolving a vulnerability is complex. Sometimes introducing a patch, especially within legacy applications, can create problems within adjacent systems and even break them.” Which is why she suggests, “Take your time. We know zero dwell time is the goal but remember to look at the bigger picture. Sometimes it takes time to see how things are going to play out, so don’t be afraid to take that time, test the fixes, and retest if necessary.”
She also emphasizes the criticality of prioritizing which vulnerabilities to go after, especially for strapped security teams. “A lot of people think that VM slows things down. But it really helps you get to the important things faster by identifying which CVEs are the most worth your time. Because sometimes a lower score vuln can have a surprisingly big impact, it’s important to get all the context you can. A complete vulnerability management solution suite with pen testing and red teaming can give you a 360-degree view and help you know what’s really important.”
The Top-Listed Threat: Software Supply Chain
VM is also a prominent feature in securing the software supply chain, the first-mentioned of 10 significant cyber challenges expected to shape the cybersecurity landscape over the next decade.
Citing “the most significant data breach in history,” the report noted how 18,000 customers were impacted by the Solar Winds software compromise and highlighted the ENISA expectation that by 2030, organizations would have widely adopted DevOps as standard practice.
It called attention to the fact that 80% of code in modern applications relies on open-source software, and that researchers detected at least one OS vulnerability in 84% of all commercial and proprietary databases. In a survey of all types of databases, high-risk vulnerabilities were found in a staggering 48%.
This tees up the conclusion that as the world continues to rely on more and more potentially insecure build components, security really does have to come from within. When those insecure features are easily discoverable CVEs, vulnerability management needs to become a staple for organizations hoping to survive in the digital world going forward.
Smart Cities as a Single Point of Failure
Another opportunity for attackers to take advantage of vulnerabilities – with massive, far-reaching consequences – will be within the digital ubiquity of smart cities. Information and Communication Technology (ICT) in particular is susceptible as a single point of failure.
The report projects that ICT networks within smart cities will amass incredible amounts of data by 2030. This will increase their value to attackers, so if vulnerability management is not built in during the development process (now), hidden vulns could be exploited and weaponized with great success, “[crippling] an entire region.”
The Top-Listed Solution: Vulnerability Management
The evolving EU cybersecurity policy framework seeks to develop initiatives to combat those horizon threats, and of the three example policies listed in the report, the one leaning heavily on VM came first. The Cybersecurity Resilience Act (CRA) introduces common security rules specifically aimed at minimizing product vulnerabilities and ensuring VM across the lifecycle of those products. Its goal is to mitigate the obvious challenges posed by insecure digital products in the marketplace, whether in someone’s software supply chain or their own infrastructure.
Future Proofing with VM
Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity, stated, “Managing vulnerabilities is essential and must go hand-in-hand with “secure by design initiatives. In the meantime, we do need to continually invest in areas such as identifying, managing, and reporting vulnerabilities that can have an impact on the security of the whole Digital Single Market.”
As the industry moves forward in developing new technologies, particularly those bolstered by AI, this “security by design” principle will play an ever more crucial role. Vulnerability management is central to that role and will be the gate that swings wide in either direction.
If VM is included in “security by design” implementations now, it could be the means to bar many lower-level attackers out for easy pickings in an ever-growing smorgasbord of digital assets. If done poorly, it could allow undiscovered assets and vulnerabilities to proliferate like dandelions within our evolving digital-physical architecture until the stakes are too high and the solutions are too little, too late.
In this report, ENISA has raised the warning flag that “boring” security maintenance routines like vulnerability management will soon prove our saving grace or our downfall. Companies that plan to future-proof their digital enterprise would be wise to invest now.
Taking a Proactive Approach with Fortra VM
Choosing a modern vulnerability management solution like Fortra Vulnerability Management (Frontline VM) is an ideal long-term solution that helps you identify, classify, and prioritize vulnerabilities on an ongoing basis. With automated scanning capabilities and on-demand reporting, you can routinely stay ahead of vulnerabilities and set your team up for proactive success in the years to come.
Choose the Right VM Option For Your Organization
Every company has different cybersecurity needs and standard vulnerability management may not be enough. Get The Case for Enterprise-Grade, Risk-Based Vulnerability Management guide and see how essential risk-based VM can be to your company.