Solutions provider Skybox Security has released the Vulnerability Management Survey for 2012, and the findings indicate that organizations generally regard regular vulnerability scanning as being too disruptive.
The survey, conducted in conjunction with Osterman Research, revealed a "major disconnect between the frequency and the breadth of vulnerability scanning actually conducted and the amount that the respondents felt was needed."
The respondents included over one-hundred information security leaders, managers, and system engineers at companies of sized ranging between two-hundred employees and fifty to more than three-hundred and fifty-thousand personnel.
The vast majority of the companies survey, over ninety percent, indicate they have vulnerability management programs, yet nearly half of the respondents believe their systems are “somewhat” to “extremely” vulnerable.
"Even more surprisingly, 49 percent of companies surveyed have experienced a cyber attack leading to a service outage, unauthorized access to information, data breach, or damage over the past six months," the survey revealed.
The frequency of vulnerability scans is an issue, with critical systems being evaluated less than once per week and nearly half of the companies performing network-wide scans as little as once per month or less.
"The coverage, or percent of hosts scanned, was also an issue: 27 percent of large organizations reported scanning less than half of hosts in the DMZ per cycle, while 60 percent of medium sized companies scan less than half of the DMZ hosts. Yet, 49 percent of respondents said their organizations did not conduct vulnerability scanning as often or as in depth as they would like," the survey found.
Of the many reasons offered for the infrequency of the scans, more than half of the respondents indicate that the process is too disruptive to business functions, while one-third said some aspects of their networks were inaccessible.
"Fifty-seven percent of respondents reported that traditional active scanning often disrupts network services and vital business applications, 33 percent reported that parts of the network are not scannable, and 29 percent reported that they have difficulties gaining the system credentials required in order to conduct scans," the report notes.
Of concern, the finding that management finds the process required for effective risk management by way of thorough vulnerability scans to be too complicated.
“Evidently, active vulnerability scanning can cause huge management headaches due to its disruptive nature and information overload, so scanners tend to be used primarily for ‘spot checks’ that aren’t effective at minimizing risks. Critical vulnerabilities have to be identified, prioritized, and remediated daily, across a significant portion of the infrastructure, in order to systematically shrink the risk window and prevent data breaches and attacks," said Gidi Cohen, CEO at Skybox Security.
Key survey takeaways:
- More than 90 percent of firms have a vulnerability management program and consider vulnerability management a priority
- 49 percent of companies have experienced a cyber attack leading to a service outage, unauthorized access to information, data breach, or damage over the past six months
- 40 percent of companies scan their DMZ monthly or less frequently
- Internal networks and data centers get the top priority in terms of scanning frequency with 35 percent of organizations scanning these zones on a daily basis
- Large organizations (more than 1,500 employees) tend to scan more frequently and with greater coverage of hosts compared to mid-size organizations (250-1,499 employees)
- 73 percent of large organizations (more than 1,500 employees) scan at least 50 percent of hosts in their DMZ, while only 39 percent of mid-size organizations (250-1,499 employees) scan at least 50 percent of hosts in their DMZ
- Both large and mid-size organizations cite “concerns about disruptions caused by active scanning” and “don’t have the resources to analyze more frequent scan data” as the top reasons for scanning less often than desired.
- Large organizations cite lack of patching resources and non-scannable hosts as a significantly greater issue than mid-size organizations.
The full survey findings are available for download at: http://lp.skyboxsecurity.com/VMSurvey.html