An analysis of data collected by the Cybersecurity and Infrastructure Security Agency shows civilian government agencies are doing better than private sector owners and operators of critical infrastructure when it comes to a major indicator of adherence to basic cybersecurity practices.
“For the federal civilian executive branch, we’ve seen patching timeframes consistently hold at 15 days for critical vulnerabilities and 30 days for high,” said Boyden Rohner, associate director of vulnerability management at CISA. “However, outside of the federal civilian executive branch, in other critical infrastructures, the timeframes to patch have been largely longer.”
Rohner used data gathered from entities subscribing to CISA services such as incident response and vulnerability assessment to share insights and predictions for 2020 on Wednesday as part of CISA’s third annual cybersecurity summit.
CISA and the Office of Management and Budget recently finalized instructions for federal agencies to lay out the welcome mat for security researchers who can identify vulnerabilities in their systems. And the agency is establishing a platform it can use to hold agencies accountable to expected patching times for vulnerabilities brought to their attention. But the majority of the nation’s critical infrastructure—about 85% according to the Government Accountability Office— is privately controlled.
Rohner encouraged organizations to continue targeting the low-hanging fruit of known vulnerabilities in their management of risk.
The bad news, she said, is that “33 % of critical infrastructure operates a potentially risky service exposed to the internet and 52% of critical infrastructure has a vulnerability that has a known exploit available.” But there is also good news. “We’re seeing a reduction of actionable, exploitable vulnerabilities,” Rohner said. “This means entities are prioritizing th ..
Support the originator by clicking the read the rest link below.
