Kenna Security has released a new report that examines the risk profile of Microsoft, Linux, and Mac assets. The Cyentia Institute has written the Prioritization to Prediction: Volume 5: In Search of Assets at Risk report, based on Kenna Security’s data on 9 million assets from 450 organizations.
The report notes that 70 percent of Microsoft’s assets have at least one high-risk vulnerability. Throughout the study, researchers identified 215 million vulnerabilities in Microsoft assets, of which 179 million, or 83%, were fixed. According to Kenna Security, the remaining 36 million untfixed vulnerabilities are higher than the combined of Max, Linux, and Unix assets.
Microsoft also has the highest percentage of closed high-risk vulnerabilities, 83%. This was followed by Apple OSX, followed by Linux/unix and web/IoT devices. In addition, 40% of Linux and Unix assets and 30% of network devices have known vulnerabilities.
However, Kenna Security also points out that fewer vulnerabilities do not necessarily mean that devices are more secure. In a world where a single high-risk vulnerability can have catastrophic consequences, effective patch priority and speed are key to security, regardless of device or software type.
Although Microsoft has more vulnerabilities than other vulnerabilities, this does not necessarily indicate a general risk because Microsoft can also fix them more quickly. The report found that Windows-based assets have an average of 119 vulnerabilities per month and patch them on average once every 36 days. By comparison, network devices have an average of only 3.6 vulnerabilities per month, but these vulnerabilities take about a year to fix.
Apple has the second-highest patch rate, at 79%. The patch rate for Linux, Unix, and other network devices is 66%.
“Microsoft is able to address critical vulnerabilities on its systems very quickly by automatically patching and ‘Patch Tuesdays’, but there are still a lot of vulnerabilities,” says Wade Baker, a partner and founder of the Cyentia Institute. “On the other hand, we see many assets, such as routers and printers, with longer shelf life for their high-risk vulnerabilities. Companies need to adjust their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs. “