Organizations remediated security issues added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog 3.5 times faster than those that are not in the catalog, according to The Record, a news site by cybersecurity firm Recorded Future.
Moreover, KEVs involved in ransomware attacks were addressed 2.5 times faster than those that were not, a Bitsight report revealed. Even though federal agencies also had a 63% increased likelihood of fixing KEVs before the deadline issued by CISA, such a deadline has been met by 40% of all other entities not required to adhere to the agency's directive.
The findings showed that vulnerability remediation times were fastest among technology firms and slowest among local governments and educational institutions. CISA has also been observed to have transitioned to shorter deadlines for addressing security flaws.
"Deadlines seem to be influenced by whether a vulnerability is used in ransomware: 1-week deadline vulnerabilities are nearly twice as likely to have been used in ransomware," said researchers.