{"id":37276,"date":"2020-09-22T18:17:18","date_gmt":"2020-09-22T18:17:18","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/31598\/Healthcare-Lags-Behind-In-Critical-Vulnerability-Management.html"},"modified":"2020-09-22T18:17:18","modified_gmt":"2020-09-22T18:17:18","slug":"healthcare-lags-behind-in-critical-vulnerability-management","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/healthcare-lags-behind-in-critical-vulnerability-management\/","title":{"rendered":"Healthcare Lags Behind In Critical Vulnerability Management"},"content":{"rendered":"

Vulnerability management is a key component of modern strategies to combat cyberattackers, but which industries perform well in this area?<\/p>\n

The general public faces phishing attempts, spam, malvertising, and more in their daily lives. However, in the business realm, successfully targeting major companies — including banks, industrial giants, and medical facilities — can be far more lucrative for cybercriminals.<\/p>\n

Stolen bank account data can be used to conduct fraudulent payments; information can be taken for the purposes of cyberespionage, and in the industrial sector, disrupting core operations can impact everything from energy supplies to water availability for customers.  <\/p>\n

One of the common avenues for attacks against the enterprise is the exploitation of unpatched vulnerabilities, and so it is crucial for organizations to maintain frequent patch cycles that tackle the most high-risk security issues for their networks promptly.  <\/p>\n

However, not every business — and not in every industry — perform patch management equally. According to new research<\/a> from Kenna Security and the Cyentia Institute, there are significant gaps in how different markets deal with vulnerabilities, including high-risk security flaws.  <\/p>\n

“Finance companies have a big target on their backs,” the company says. “Tech companies have the skills to get the job done. Manufacturing firms are insulated from danger with lots of custom and rare applications that few hackers would bother to develop exploits for. And the healthcare industry? Well, the conventional wisdom says that it’s crammed full of tech, but hacks aren’t easy to monetize.” <\/p>\n

See also: <\/strong>SigRed: A 17-year-old ‘wormable’ vulnerability for hijacking Microsoft Windows Server<\/a> <\/p>\n

<\/section>\n

On Tuesday, the cybersecurity firm released a report into vulnerability management conducted by the financial, manufacturing, medical, and technological industries. <\/p>\n

Manufacturing:<\/strong> Kenna Security says that industrial companies tend to take “twice as long” to fix bugs in comparison to other sectors, and also have double the number of vulnerabilities per asset — such as printers, IoT devices, and PCs in use. <\/p>\n

However, only 5% of bugs are deemed high-risk, and the industry may be further protected as few threat actors have developed exploit kits focused on this area. In total, 44% of manufacturing companies reduce their exposure to bugs that can be weaponized every month, but 39% “end each month with more high-risk vulnerabilities than they started with.” In total, 17% are reported as “breaking even.” <\/p>\n

Technology: <\/strong>Given their nature, tech companies tend to have fewer vulnerabilities per asset than other industries, and patch management is generally conducted more quickly.  <\/p>\n

According to the research, a typical company will close approximately 25% of newly-disclosed vulnerabilities within 19 days. In comparison, a technology firm will close 25% in seven days; 50% in 17 days; and 75% in 67 days.  <\/p>\n

\"screenshot-2020-09-22-at-17-13-53.png\"<\/span>
<\/span><\/figcaption><\/figure>\n

High-risk vulnerabilities, too, are tackled rapidly. In total, tech firms will close roughly 90% of them per month, whilst 80% of organizations will either hold their ground or reduce their security ‘debt’ each month.  <\/p>\n

Healthcare: <\/strong>When cyberattacks disrupt healthcare providers, the consequences can be fatal — as we saw in the recent death<\/a> of a patient at a German hospital. As a result, the medical industry is often subject to attacks including ransomware as threat actors bet they will pay up rather than put lives at risk.  <\/p>\n

CNET: <\/strong>Trump administration reportedly looking at Tencent’s investments after scrutinizing TikTok<\/a> <\/p>\n

To deploy such malware, phishing or the weaponization of vulnerabilities are common attack vectors. <\/p>\n

The report says that a typical healthcare organization has roughly 34 bugs per asset and 50% of common bugs take 50 days to patch, causing a “lag” in comparison to other sectors.  <\/p>\n

\"screenshot-2020-09-22-at-12-21-44.png\"<\/span>