Education sector has improving window of exposure despite lower remediation rates and higher than average time… – ZDNet

The education sector sees an improving window of exposure despite lower remediation rates and higher than average time to fix, according to an NTT report
By | September 24, 2021 | Topic: Security
A new report from NTT Application Security has found that applications used by organizations in the education sector have an improving window of exposure despite having lower remediation rates and a higher than average time to fix.
This month, the NTT Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow with the school year starting. 
Accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on the unique cybersecurity challenges these organizations face. 
According to the report, although the education sector’s breach exposure has remained relatively consistent this year, it’s taking longer to fix high severity vulnerabilities compared to other industries (206 days vs 201 days). 
Additionally, applications within the education sector show an increased Window of Exposure (WoE) rate, rising to 57% in August from 53% last month.
Setu Kulkarni, vice president of strategy at NTT Application Security, told ZDNet the education sector showed a positive trend as far as WoE is concerned. 
“As we completed the research, it was surprising to see that less than 50%, actually only 46% of the critical vulnerabilities are ever fixed. That’s a shockingly low remediation rate, but that’s only half of the story. For those 46% of the vulnerabilities that get remediated, on average it takes over 200 days to fix a critical vulnerability once an organization decides to address the vulnerability,” Kulkarni explained. 
“Those two factors are majority contributors to the high breach exposure for applications — that is, applications have an unacceptable WoE to attacks. Moreover, the mix of serious vulnerabilities has remained constant over time and that means, the attackers do not have to try too hard.” 
Despite the issues, the data indicates that organizations in the education sector are hyper-focused on fixing critical vulnerabilities within some of their web applications and Kulkarni said this approach seems to be working, as the sector’s otherwise stable Window of Exposure metrics are now improving.
The education sector has one of the best Window of Exposure metrics (less than one month) across all sectors, according to the report. 
The researchers found that 53% of applications in the education sector have at least one critical vulnerability exploitable throughout the year, yet 34% of these applications have a Window of Exposure of less than one month. This means that serious vulnerabilities in 34% of applications in the sector get addressed within one month.
Kulkarni said that moving forward, there needs to be a focus on reducing the average time to fix critical and high severity vulnerabilities, which are critical to improving the WoE and consequently the overall security posture of applications. 
“The application security statistics for the education sector indicate a hyper focus among organizations in this sector on a handful of critical web applications and fixing a handful of critical vulnerabilities in those applications,” Kulkarni added. 
“To accelerate the improvement in the Education sector’s overall application security posture, organizations in the sector should expand their approach to identify their overall attack surface and put in place a systematic program that progressively covers all applications.” 
Kulkarni also suggested educational organizations provide security training to students and demand that the SaaS and non-SaaS products are thoroughly checked for vulnerabilities.
By | September 24, 2021 | Topic: Security
IBM partners with Telefónica for cloud-native 5G core network platform
Apple releases patches for Catalina and iOS 12.5.5 vulnerabilities
EU wants USB-C to become standard charging port for all smartphones to limit e-waste
CISA releases advisory on Conti ransomware, notes increase in attacks after more than 400 incidents
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
This ransomware-dropping malware has swapped phishing for a sneaky new attack route
And it’s using cryptographically signed bogus Java apps to avoid detection.
FBI arrests 75-year-old for allegedly placing pipe bombs outside phone, carrier stores
The suspect was reportedly upset over handsets being used to spread “immoral content.”
Taiwan’s bid to enter CPTPP meets firm opposition from China
Taiwan’s Ministry of Foreign Affairs has labelled China’s own bid to join the CPTPP as an attempt to block Taiwan out.
Apple releases patches for Catalina and iOS 12.5.5 vulnerabilities
One of the vulnerabilities was discovered by Citizen Lab and another was found by the Google Threat Analysis team.
Home alone after school: A safety guide for kids
Our guide was created to help families prepare for a child being home alone. Use this safety guide to help your kids prepare to stay safe when they’re on their own. …
Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30
The peace of mind that comes with never again have to worry about the security of your most sensitive data is absolutely priceless, and now it’s also perfectly affordable. …
VoIP company battles massive ransom DDoS attack
‘Massive’ distributed denial of service attack hits internet telephony company.
Ransomware attackers targeted this company. Then defenders discovered something curious
Cybersecurity researchers detail a mysterious attack that uses sophisticated techniques to deliver a relatively unsophisticated ransomware. The question is, why? …
New advanced hacking group targets governments, engineers worldwide
The APT was one of many groups that took part in the Microsoft Exchange Server hacks.
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use