Home Security Tenable vulnerability study contradicts its own work

Tenable vulnerability study contradicts its own work

A vulnerability study by security outfit Tenable Research appears to discredit its own work by stating that the sample size it used for the study was not representative.

Towards the end of the 15-page report, the authors had this to say: "The sample set size of 50 vulnerabilities is not representative and is insufficient to draw detailed or broader conclusions about vulnerabilities in general."

Yet there were many broad conclusions drawn from this sample size in the study which also listed one other limitation.

"Exploit availability does not necessarily mean active exploitation. Usually, only a subset of exploitable vulnerabilities are, for example, weaponised and automated in the form of malware, ransomware and exploit kits. A human threat actor, however, would have access to any published exploit," it said.

{loaadposition sam08}Titled "Quantifying the attacker's first-mover advantage", the study (free download after registration here) was said to have been a result of work by Tenable's newly expanded research team.

It concluded with this bit of bizspeak: "The research indicates the criticality of proactively and holistically analysing and measuring Cyber Exposure across the entire modern attack surface.

"Live visibility is not only a foundational element of cyber hygiene but also is the only way for organisations to flip the advantage to the defenders across the majority of vulnerabilities."

Update: The company later issued the following statement:

"In the report, we clarify that findings from the set of vulnerabilities in this study cannot be used to infer broader conclusions about all vulnerabilities. Our study focuses on the 50 most prevalent exploitable vulnerabilities that existed in customer environments in late 2017. Factual findings from this focused set of highly relevant vulnerabilities cannot be extrapolated to the general vulnerability population.

"Strong research will demonstrate rigour and will highlight its bounds and limitations, which is why we were transparent about our dataset and what conclusions could be drawn from the resulting data."


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.


Popular News