Are We Getting It Wrong?

Due to the rising severity and frequency of cyber-attacks, Enterprise spending on cybersecurity is also rising worldwide. But debate is heating around which security methods we should employ. Where are organizations focusing their efforts, and where is the most risk?

According to experts, companies may not be getting their priorities right.                                        

A recent XM Cyber report contains insights regarding enterprise cybersecurity and risks. Perhaps one of the study’s most interesting findings is the huge gap between what organizations fo on for cybersecurity and where their most serious threats lie.

The report, which uncovered over 40 million exposures, found that while companies are largely focused on CVE-based vulnerabilities – or ‘known’ software vulnerabilities – those account for “less than 1% of the average organizations’ on-prem exposure landscape.”

CVEs – What Are They and Why Enterprises Focus on Them

The CVE, or Common Vulnerability Exposures is a list of publicly disclosed cybersecurity vulnerabilities and exposures. The CVE program was started in 1999 by the National Institute of Standards and Technology (NIST) and the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA – a part of the U.S. Department of Homeland Security.

A CVE identifier provides a unique reference for a specific vulnerability. CVE-based security revolves around identifying, cataloging, and patching known software vulnerabilities.

[A Vulnerability, in ‘cyber’ terms, as described by NIST, is a weakness in a system, procedure, internal control, or implementation that could be compromised by a threat actor.]

Companies are focused on CVE-based vulnerabilities for a few main reasons.

  1. The CVE provides a standardized method for identifying and tracking vulnerabilities over time
  2. The CVE provides a rating (CVSS score) on how critical the vulnerability is to patch
  3. Businesses have been doing it this way for a long time
  4. Government regulations require companies to be cybersecurity compliant.

Vulnerability Management

NIST defines Vulnerability Management as the “Identification of vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.”

The problem with Today’s Vulnerability Management

While patching software vulnerabilities is good practice, many experts say there is too much focus on CVEs and CVSSs and too little on more critical exposures or risk factors.

Research concludes that less than 3% of CVEs can actually be used by attackers. 74%, according to the report, are “dead ends” for attackers, not allowing them to move laterally within a system, in other words.

CVEs and CVSSs come with substantial limitations. Here are a few of them, according to experts:

  • Inaccurate measurement of risk – The scoring system, ratings from 1 (low severity) to 10 (high), is often flawed or misleading.
  • CVSS ratings are usually not updated
  • Because the score is simply a number, there’s no additional information that will determine how a vulnerability will affect a system.
  • The CVE doesn’t usually tell IT how to fix a problem, so teams must manually check them – which can be overwhelming when going through a list of hundreds or thousands.
  • CVEs only focus on unpatched software – Patched software is not necessarily immune to vulnerabilities, so CVEs are ignoring what could be important threats.

Perhaps most importantly, the CVE and “Vulnerability Management” began in the 90s, when remote workforces or the Cloud weren’t things.  IT teams were able to manually patch software vulnerabilities as they came in.

Fast forward to now, the CVE lists are ginormous – increasing by 3100% annually, and too much for most IT teams to manage efficiently. Modern businesses have a whole host of applications and endpoints for attackers to target (the bulk of which are not CVE-based, and most of which are being compromised through newer methods like phishing, etc.) More on that below.

Where The Real Risk Resides, and Where Organizations Should Focus Efforts

Back to the XM Cyber Report, research reveals that identity and credential compromise represent a whopping 80% of security exposures across organizations. A third of these exposures put critical assets at direct risk of breach.

Other studies also confirm that compromised credentials (usernames and passwords that are stolen, shared, phished, guessed, etc.) are the #1 factor behind successful cyber-attacks.

Another interesting note: While Active Directory remains the cornerstone of organizational identity management, the report found that 80% of all security exposures identified stem from Active Directory misconfigurations or weaknesses. And, one-third of all critical asset vulnerabilities are traced back to identity and credential problems within Active Directory.

In short, it is clear that while patching vulnerabilities is important, it’s not enough to protect your business against attack.

The Good News:

  1. The XM Cyber Report includes an Attack Graph Analysis (™), which identifies “choke points” where multiple attack pathways toward ‘critical assets’ converge. The report confirms that only 2% of exposures reside on these choke points, which means far fewer exposures on which teams should focus and the potential for much more efficient work.
  2. While cybersecurity can seem daunting, especially for small-to-medium-sized enterprises, modern tools can vastly improve security postures, simplify access to our digital valuables, enhance user experience … and save on costs.


According to CISA and other experts, the top recommended security measure to implement is Multi-Factor Authentication (MFA). However, as mentioned previously, NOT ALL MFA IS CREATED EQUAL. To maximize security, the MFA must be Phishing-Resistant, as stressed by CISA and others.

The first rule of thumb is, if you have to remember the factor or type it in, it’s Phishable. Bad actors can use social engineering, spraying, etc. to crack the password or code. Phishable factors include one-time passcodes (OTPs), PINs, links, answers to security questions, and so on.

Read More about Phishing Resistant MFA.

Why Strong or Phishing-Resistant MFA? Because the top pathway attackers take to get into your systems and digital resources is the front door lock. 80 percent of the time it’s by cracking that password or key (often used on multiple accounts). Strong MFA stops the attacker at that access point by requiring users to prove they are who they say they are at every login. Strong MFA doesn’t just layer additional factors on top of a password, but eliminates the shareable secret, tying login to you (a biometric), to your device, and using a dynamic key that is invisible to the user and therefore not shareable.

To learn more about TraitWare’s Phishing-Resistant Passwordless Native MFA solution built for Enterprises of all sizes, please reach out here, and let’s book some time for a quick demo.

The enterprise has changed dramatically since the 90s, and security and IT teams have struggled to keep up with old methodologies such as vulnerability patching, not to mention working to fix more front-facing risks. Rather than just ticking boxes, it’s time to change with the times, to modern up with current more efficient methods, state-of-the-art technology, and focus on remediating today’s most prevalent attack vectors.