Report: Majority of Companies Don’t Think Like Hackers, Making Them More Prone to Attacks

The research assesses software vulnerability prioritization based on insights from hacker forums, including the dark web and deep web

Photo: Bigstock

Most companies don't put themselves in the hacker mindset, leaving them more prone to attacks, according to new research published Wednesday by two Israeli companies WhiteSource and CYR3CON.

WhiteSource, a leader in open source security and license compliance management, and CYR3CON, which predicts cybersecurity attacks based on AI-gathered intelligence from hacker communities, released the collaborative report which addresses security vulnerability prioritization through the eyes of hackers.

The report examines the most common methods software development teams use to prioritize software vulnerabilities for remediation and compares those practices to data gathered from the discussions of hacker communities, including the dark web and deep web.

The findings indicated that software development teams tend to prioritize based on available data, but hackers don't target vulnerabilities based on those same parameters.

"As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it's imperative that teams focus on addressing the most urgent issues first," said Rami Sass, CEO and co-founder of WhiteSource. "Our research can help organizations adopt a solid prioritization method, and ensure they look beyond just the most accessible data to the data that can best help them fix the security vulnerabilities that could cause the greatest impact, and in turn save them valuable time."

Additionally, the report found that organizations tend to prioritize "fresh" vulnerabilities, while hackers often discuss vulnerabilities for over six months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.

"All too often companies unknowingly accept risk by using outdated methods of vulnerability prioritization - and this report sheds light on the shortcomings of those approaches. Combining threat intelligence and machine learning overcomes those shortcomings, highlighting previously unidentified risks in the process," said Paulo Shakarian, CYR3CON CEO & Co-Founder.

You might be interested also