Connect with us

Hi, what are you looking for?



Study Analyzes Corporate Security Practices Across Industries

PRAGUE – Virus Bulletin 2015 – An analysis of the vulnerabilities discovered in the systems of organizations in various industries provides some insight on the most common types of flaws and the time it takes to address them.

PRAGUE – Virus Bulletin 2015 – An analysis of the vulnerabilities discovered in the systems of organizations in various industries provides some insight on the most common types of flaws and the time it takes to address them.

Clint Gibler, a software security engineer at NCC Group’s Domain Services division and the author of the study, detailed the findings on Wednesday at the Virus Bulletin conference in Prague.

Running a commercial scanner on the systems of 100 organizations across ten industry verticals between February 2014 and May 2015 revealed a total of 908,000 security issues. The sectors analyzed by the researcher include charity, energy and utilities, financial services, health, IT, leisure and media, public sector (education and local), retail, and transport.

It’s worth noting that the number of scans, the tools used and the mode in which they were run are different between industries and between companies, which increases the difficulty of making overall statements or generalizations. However, Gibler told SecurityWeek in an interview that the data can be useful for helping organizations determine where they stand compared to others in the same industry.

As part of this research, the systems of the targeted charity organizations underwent roughly 30 scans which led to an average of more than 4,200 findings, just over half of which were classified as true positives after they were manually vetted by a technical account manager. A much larger number of vulnerabilities have been identified in other sectors, but the percentage of false positives was significantly higher in some cases.

 vulnerabilities across industries

The 49-89 percent false positive rates show that using a managed service that vets scanner reports and removes false positives can be highly valuable for companies as it saves them the time and resources needed to extract useful information from all the noise, Gibler said.

The study found that across all companies, the most prevalent types of issues were related to web application security, particularly flaws affecting the web server or language in which the web application was written. The scans also revealed numerous network issues, mainly related to crypto (SSH, SSL, PKI), and failure to meet web application best practices.

Advertisement. Scroll to continue reading.

One interesting vertical is the transport industry, where a large majority of the security issues uncovered by the scanners were vulnerabilities impacting the web server or language in which the web app was written.

Once affected companies were notified about the existence of the flaws, the vulnerable Linux packages were all updated within a 20 week timeframe. On the other hand, only 75 percent of Microsoft patches were applied in a similar timeframe, with 10 percent of the Microsoft product issues being left unresolved even after a year.

The researcher discovered that security bugs requiring more environment-specific solutions take longer to fix, and there is a higher chance that they will remain unresolved. These types of issues can include disabling a vulnerable service, reconfiguring default accounts, removing files, and updating configurations.

Overall, issues related to cryptography, such as updating OpenSSL and reconfiguring SSL, have a patching rate of roughly 60 percent within a 30 week timeframe. However, the report points out that such weaknesses are less likely to be resolved compared to other types of issues. As for web applications, over half of the identified vulnerabilities were fixed by affected organizations within ten weeks after learning of their existence.

Overall, the report shows that more than half of the vulnerabilities are generally patched within 10-20 weeks, while the rest are addressed more slowly.

“We feel this intuitively makes sense, as an organization will likely make an initial large push towards addressing the security issues they are informed about. However, the issues that are not resolved in the initial push are addressed slowly, when time permits, over the subsequent months,” Gibler explained.

The study shows a large disparity between industries in the time to fix and the overall percentage of fixed issues. When it comes to host-based vulnerabilities — those related to an operating system, a database, or out-of-date software — the transport industry addressed most of the identified flaws within a ten week period. On the other hand, it took companies in the IT industry 35 weeks to resolve just half of the vulnerabilities.

The transport industry has also been efficient in patching network-related security bugs. However, the report notes that no industry resolved more than 90 percent of network-related issues, and half of the targeted sectors resolved roughly 60 percent of the flaws.

Companies in the transport and health sectors managed to address 90 percent of the web application findings in under ten weeks. At the other end of the chart we find charities, IT firms, public sector organizations, and retailers, which needed 30-50 weeks to address 60-70 percent of the web application vulnerabilities.

“Of all three groups, host-based findings are resolved at the highest rate across industries, followed by web application and lastly network-related findings. As one might expect, the financial services industry resolved one of the highest percentages of findings in each of the categories, though not necessarily the most quickly,” Gibler said.

Each of the identified vulnerabilities was classified based on its CVSS score. However, the report shows that the severity of the uncovered issues does not have a direct impact on the time to fix.

“CVSS score does not appear to have a direct impact on the speed with which a finding is resolved, as in the first 10 weeks, findings with a score of between 3 and 6 are more likely to be resolved than those in the range of 7–10,” the researcher noted. “One potential explanation for this behaviour is that findings with a lower CVSS score are easier to address and are thus resolved quickly, while more serious findings require more effort and are thus addressed more gradually.”

The complete report will become available in the coming days.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.