Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Sarah Grillo/Axios

A recent study found that only 5.5% of security vulnerabilities discovered by researchers were actually ever used by hackers.

Why it matters: That number makes instinctive sense to experts but can seem counterintuitive to anyone outside the field. That's because all vulnerabilities are not created equal — and in a world with hundreds of bugs released a week, prioritizing the important ones is key to any defense.

The big picture: If the 5.5% statistic sounds jarring, you're not alone. Jay Jacobs, the lead author on the study, says he thought it'd be higher, too.

  • "When I first started working with vulnerabilities, I had that reaction," he said, "I saw that and thought the data must be wrong. I went to an expert to ask if the data seemed normal, and he said [nonchalantly] yeah, why?"
  • "You want to think it's like animals in the wild, and the vulnerabilities are their food sources. Why wouldn't they take all the food sources?"

The reasons they wouldn't can vary. Most hacking is criminal, not espionage, and criminal hackers tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use and not all of the easy to use vulnerabilities are in products that are widely deployed.

The impact: The number of vulnerabilities used by hackers matters because there are far more new vulnerabilities each month affecting any organization than any organization can patch.

  • In fact, in research he published in conjunction with Kenna Security, Jacobs found that organizations only patch 10% of newly found vulnerabilities each month regardless of the organization's size.
  • Patching isn't just a matter of hitting the "update" button. Updates, while critical, can sometimes interfere with crucial software, and often need to be tested before being applied.

What's needed: That makes prioritizing vulnerabilities key. And that means taking several factors into account.

  • Companies often are quick to assume that the most important factor is the most obvious one: the severity of a bug. But understanding the exposure of a system to attacks and what defenses are already in place are equally important.
  • "Organizations that are more mature will overlay asset management. If a high severity bug is in a server that’s better positioned, it might be able to wait," said Katie Moussouris, founder and CEO of Luta Security.

One factor not to take into account? Us. Or more accurately, media exposure of a vulnerability in general.

  • "If you read the announcements, everything is the end of the world," said Renaud Deraison, co-founder and CTO of Tenable, whose products manage vulnerability patching.
  • Tenable released a study last month demonstrating that there's no correlation between the amount of media attention a vulnerability receives and the urgency of patching it.
  • Take for example the recent series of microprocessor vulnerabilities at Intel and other companies. "Everyone went to patch their CPU. It was a very disruptive, a very invasive thing to patch, and in the end there wasn't an attack," he said.

Go deeper

11 mins ago - Politics & Policy

Trump revokes ethics order barring former aides from lobbying

Photo: Spencer Platt via Getty

Shortly after pardoning members of Congress and lobbyists convicted on corruption charges, President Trump revoked an executive order barring former officials from lobbying for five years after leaving his administration.

Why it matters: The order, which was signed eight days after he took office, was an attempt to fulfill his campaign promise to “drain the swamp.”

  • But with less than 12 hours left in office, Trump has now removed those limitations on his own aides.

Trump pardons former fundraiser Elliott Broidy

President Trump has pardoned Elliott Broidy, a former top Republican fundraiser who pleaded guilty late last year to conspiring to violate foreign lobbying laws as part of a campaign to sway the administration on behalf of Chinese and Malaysian interests.

Why it matters: Broidy was a deputy finance chair for the Republican National Committee early in Trump’s presidency, and attempted to leverage his influence in the Trump administration on behalf of his clients. The president's decision to pardon Broidy represents one last favor for a prominent political ally.

Trump grants flurry of last-minute pardons

Photo: Jabin Botsford/The Washington Post via Getty Images

President Trump issued 73 pardons and commuted the sentences of 70 individuals, hours from leaving office early Wednesday, hours from leaving office.

Why it matters: It's a last-minute gift to some of the president's loyalists and an evident use of executive power with only hours left of his presidency. Axios reported in December that Trump planned to grant pardons to "every person who ever talked to me."