The College of Information Sciences and Technology at Penn State, in partnership with Tripwire, Inc ., a leading global provider of risk-based security and compliance management solutions, today announced that the top 25 percent of vulnerability management contributors scanned their networks nearly continuously and had an average aggregate host risk score of 2.14 using the Common Vulnerability Scoring System (CVSS).
CVSS is an industry standard that measures the severity of vulnerabilities and prioritizes remediation efforts. CVSS scores range from zero to ten and vulnerabilities with a base score in the range of 7.0-10.0 are critical, 4.0-6.9 are major and 0-3.9 are minor.
Average host risk score, as well as average days since the last scan, are two key vulnerability management metrics derived from Penn State’s Benchmark , a free, cloud-based cybersecurity analytics service. Benchmark allows security professionals to collaborate on security best practices and compare their security performance against community and industry benchmarks.
“Average aggregate host risk score and average days since last scan are excellent indicators of vulnerability management performance because they tend to move in the same direction,” said Rod Murchison, vice president of product management at Tripwire. “Together, these scores indicate that companies that scan more frequently tend to have a more effective vulnerability remediation process, lowering their overall vulnerability risks scores.”
Vulnerability management is a foundational security control that proactively prevents the exploitation of IT vulnerabilities. As a leading cybersecurity program performance management indicator, vulnerability management is referenced in every major security standard, including the Payment Card Industry Data Security Standard ( PCI DSS ), the National Institute of Standards and Technology ( NIST ) Framework for Improving Critical Infrastructure Cybersecurity and the 20 Critical Security Controls ( 20 CSC ). Proactive management of vulnerabilities dramatically reduces the potential of successful cyberattacks and improves risk posture.
“Benchmark is a great example of the type of tools we need to train the next generation of cybersecurity analysts, and that is precisely why we are integrating it into our undergraduate curriculum,” said Dr. David Hall, dean of the College of Information Sciences and Technology at Penn State. “Benchmark metrics help analysts take a qualitative approach to the capabilities of their cybersecurity infrastructure. Together, these metrics also make it possible for cybersecurity experts to evaluate the performance of their security controls at a higher level of abstraction.”
Tripwire donated its Benchmark service to the Center for Cyber Security, Information Privacy and Trust at Penn State’s College of Information Sciences and Technology in April. The free Penn State security analytics service is available today to any organization that would like to measure the effectiveness of their IT security investments. For more information and access to security and risk metrics, scorecards and benchmarks, please visit: https://benchmark.ist.psu.edu/ .
Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management , vulnerability management , file integrity monitoring , log and event management . Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com , get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc .
About Penn State College of IST
The College of Information Sciences and Technology (IST) at The Pennsylvania State University in University Park, PA, is an interdisciplinary program started in 1998 that links computer science, users, and information technology. The College of IST offers an associate degree as well as bachelor of arts and bachelor of science degrees in IST and a bachelor of science in security and risk analysis (SRA) at 20 campuses throughout the commonwealth of Pennsylvania. Additionally, a resident, academic M.S. degree and Ph.D. degree in IST is also offered at the University Park campus. Online offerings include undergraduate degrees in IST and SRA, undergraduate and post baccalaureate certificates, and online MPS degrees in homeland security, information sciences, and enterprise architecture. For more information, visit http://ist.psu.edu .