Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on the day's biggest business stories

Subscribe to Axios Closer for insights into the day’s business news and trends and why they matter

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Stay on top of the latest market trends

Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sports news worthy of your time

Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tech news worthy of your time

Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Get the inside stories

Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Denver news?

Get a daily digest of the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Des Moines news?

Get a daily digest of the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Twin Cities news?

Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Tampa Bay news?

Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Charlotte news?

Get a daily digest of the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sign up for Axios NW Arkansas

Stay up-to-date on the most important and interesting stories affecting NW Arkansas, authored by local reporters

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Sarah Grillo/Axios

A recent study found that only 5.5% of security vulnerabilities discovered by researchers were actually ever used by hackers.

Why it matters: That number makes instinctive sense to experts but can seem counterintuitive to anyone outside the field. That's because all vulnerabilities are not created equal — and in a world with hundreds of bugs released a week, prioritizing the important ones is key to any defense.

The big picture: If the 5.5% statistic sounds jarring, you're not alone. Jay Jacobs, the lead author on the study, says he thought it'd be higher, too.

  • "When I first started working with vulnerabilities, I had that reaction," he said, "I saw that and thought the data must be wrong. I went to an expert to ask if the data seemed normal, and he said [nonchalantly] yeah, why?"
  • "You want to think it's like animals in the wild, and the vulnerabilities are their food sources. Why wouldn't they take all the food sources?"

The reasons they wouldn't can vary. Most hacking is criminal, not espionage, and criminal hackers tend to make decisions based on hacking the most computers with the least amount of effort. Not all vulnerabilities are easy to use and not all of the easy to use vulnerabilities are in products that are widely deployed.

The impact: The number of vulnerabilities used by hackers matters because there are far more new vulnerabilities each month affecting any organization than any organization can patch.

  • In fact, in research he published in conjunction with Kenna Security, Jacobs found that organizations only patch 10% of newly found vulnerabilities each month regardless of the organization's size.
  • Patching isn't just a matter of hitting the "update" button. Updates, while critical, can sometimes interfere with crucial software, and often need to be tested before being applied.

What's needed: That makes prioritizing vulnerabilities key. And that means taking several factors into account.

  • Companies often are quick to assume that the most important factor is the most obvious one: the severity of a bug. But understanding the exposure of a system to attacks and what defenses are already in place are equally important.
  • "Organizations that are more mature will overlay asset management. If a high severity bug is in a server that’s better positioned, it might be able to wait," said Katie Moussouris, founder and CEO of Luta Security.

One factor not to take into account? Us. Or more accurately, media exposure of a vulnerability in general.

  • "If you read the announcements, everything is the end of the world," said Renaud Deraison, co-founder and CTO of Tenable, whose products manage vulnerability patching.
  • Tenable released a study last month demonstrating that there's no correlation between the amount of media attention a vulnerability receives and the urgency of patching it.
  • Take for example the recent series of microprocessor vulnerabilities at Intel and other companies. "Everyone went to patch their CPU. It was a very disruptive, a very invasive thing to patch, and in the end there wasn't an attack," he said.

Go deeper

U.S. friends in Latin America are turning to China

Illustration: Shoshana Gordon/Axios

The U.S. is losing Latin America to China without putting up a fight, Ecuador’s ambassador to Washington told Axios, laying bare her frustrations with early inattention from the Biden administration.

Why it matters: Ecuador isn't alone. China has deepened its engagement in the region, and it's now the top trading partner for many of the region's largest economies. That gives Beijing considerable leverage in a region historically dominated by the U.S., and makes Latin America a major frontier in the global competition for influence.

1 dead, 14 injured in shooting at Kroger grocery store near Memphis

One person was killed and 14 others were injured Thursday in a shooting at a Kroger grocery store in Collierville, Tenn., near Memphis, the town's spokesperson Jennifer Casey said, per CNN.

What they're saying: "I've been involved in [police work] for 34 years and I have never seen anything like [this]," Police Chief Dale Lane said at a press conference.

3 hours ago - Health

CDC panel recommends Pfizer boosters for high-risk individuals, people 65 and up

Photo: Marco Bello/Anadolu Agency via Getty Images

A key panel at the Centers for Disease Control and Prevention on Thursday recommended the Pfizer-BioNTech coronavirus booster shots for people 65 years old and older, as well as those at high risk of severe COVID-19.

Why it matters: The approval is the near-final step in making the booster shots available to tens of millions of Americans, and comes a day after the FDA approved Pfizer boosters for the two groups. CDC director Rochelle Walensky is expected to announce her recommendation soon.