Tenable®, Inc., the Cyber Exposure company, released a new research report today that quantifies the window of opportunity cybercriminals have to weaponize vulnerabilities. The research found that cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage before organizations even take the first step to determine their Cyber Exposure and whether they are at risk.
According to the report, which was developed by Tenable’s newly expanded research team, it takes a median six days for a cybercriminal to weaponize vulnerabilities once a new public exploit first becomes available. However, security teams can take a median 13 days before launching their initial assessment for a new vulnerability — the first, crucial step in determining overall Cyber Exposure in modern computing environments. The resulting seven-day lag time means that cybercriminals can attack their victims at will while security teams and their organizations remain in the dark as to the true level of risk to the business.
Digital transformation has radically increased the number and type of new technologies and compute platforms – from Cloud to IoT to Operational Technology – and led to a dramatic growth in the attack surface. Inevitably, this expanding attack surface has given rise to an unrelenting barrage of vulnerabilities. Yet many organizations still run their operations programs on fixed cycles — every six weeks, for example — as though they were operating only legacy IT environments, not the dynamic computing platforms of today. Latency is therefore built directly into the cybersecurity process, giving the attacker the advantage from the outset as security and IT teams operate in organizational silos. Many CISOs are left struggling to gain basic visibility into a constantly changing threat landscape and are hampered in their efforts to manage cyber risk proactively based on business criticality.