Industry leaders across cybersecurity, networking, and service providers have formed the Network Resilience Coalition, a new alliance focused on securing data and networks that support global economic and national security. Its key aim is to help improve network hardware and software resilience on a global scale, bringing together infrastructure vendors/major network operators experienced in deploying patches to inform good vulnerability management policy. Founding members of the coalition include Cisco Systems, Palo Alto Networks, Fortinet, Juniper Networks, AT&T, BT Group, Lumen Technologies, Verizon, Broadcom, Intel, and VMware.
Patch, vulnerability management an ongoing challenge for organizations
While software and hardware vendors invest time and effort to ensure that products and services are as strong and secure as possible, it is common for organizations to lack robust patching and vulnerability management programs or to not install critical updates in a timely manner, read a Center for Cybersecurity Policy & Law press release. The Center for Cybersecurity Policy & Law is an independent organization that provides government, private industry, and civil society with practices and policies to better manage security threats.
Effective patch and vulnerability management is an ongoing challenge for a lot of organizations. The State of Vulnerability Management in DevSecOps report revealed more than half of 634 IT and IT security practitioners have backlogs that consist of more than 100,000 vulnerabilities, while the average number of vulnerabilities in backlogs overall is 1.1 million. What’s more, 54% said they were able to patch fewer than 50% of the vulnerabilities in the backlog, with most respondents (78%) stating that high-risk vulnerabilities in their environment take longer than three weeks to patch. The largest percentage (29%) noted it takes them longer than five weeks to patch.
Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%), the report noted. Meanwhile, the 2023 Unit 42 Network Threat Trends Research report revealed a 55% increase in the exploitation of vulnerabilities in 2022 compared to 2021.
On a more positive note, the number of organizations vulnerable to data leaks because of security vulnerabilities in MOVEit Transfer software has dropped significantly, with at least 77% of the initially affected organizations no longer susceptible, according to research by Bitsight. Organizations are remediating MOVEit vulnerabilities 21 times faster compared to other vulnerabilities, the research found. Progress, the developer of MOVEit, published an advisory alerting of a critical vulnerability in its MOVEit Transfer product on May 31. Two more vulnerabilities CVE-2023-35036 and CVE-2023-35708 were identified on June 9 and June 15, respectively. Three more vulnerabilities CVE-2023-36932, CVE-2023-36933, and CVE-2023-36934 were discovered on July 5.
Tech companies must address poor patch, vulnerability management
Technology companies must find ways to address the continued problem of software and hardware updates and patches not being implemented, while also encouraging organizations to have better visibility into their networks to better mitigate cyber risks, the Center for Cybersecurity Policy & Law said. Coalition members will therefore work together on a report that investigates the crux of these issues and produce clear, actionable recommendations for improving network security for technology providers, technology users, and those creating or regulating security policy, it added.
“Network resilience is vital to the health of our economy and our interconnected world and there is a need to focus on how to improve the security of the larger ecosystem by all sides working together,” said Ari Schwartz, coordinator of the Center for Cybersecurity Policy & Law. “Too often we see organizations fall victim to a cyberattack because an existing critical update or patch wasn’t made.”