Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Prioritizing Patch Management Critical to Security

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.

“One of the biggest challenges on enterprise networks is knowing the state of all the things you own,” said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. “Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed.”

Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.

“Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded,” he said. “The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities.”

The sheer number of patches that get released makes it difficult for enterprises to keep up, Fisher noted.

“It’s not just Microsoft Patch Tuesday anymore,” he said. “All of the vendors from Adobe to Zotac are producing patch updates for their software and hardware. Each of these patches needs to be evaluated and assessed for how it should be prioritized for deployment. The challenge that most enterprises have is that there is no prioritization so everything from the mundane to the most dangerous all gets the same treatment.”

Enterprises should begin prioritizing patch efforts based on the risk particular vulnerabilities pose to critical assets, as well as their exploitability and age, said Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. Organizations should also adopt a maturity model for threat and vulnerability management, he said.

“In general, you will probably have to accept that you can’t try to patch every single vulnerability,” he said. “Instead, focus on the critical assets that are most important to the organization. Eliminate vulnerabilities that put those critical assets at risk.

Prioritizing vulnerabilities might require consolidating multiple vulnerability scanner feeds and analyzing issues based on known exploits, as well as simulating potential attack paths through the IT infrastructure, he added.

External information sources such as US-CERT TA15-119A – which has the top 30 attack vulnerabilities – can also be good sources of information, noted Wolfgang Kandek, CTO of Qualys. Once the top 30 are knocked off, focus on bugs that are known to have exploits, he advised.

“Attackers prefer environments where vulnerabilities stay unpatched for months or years at a time, allowing them to use their well tested exploit codes which have undergone significant QA over the years,” Kandek told SecurityWeek. “New exploits tend to be more temperamental, often crashing the target and alerting the user and IT departments.”

Beyond technology, improving the patch management process comes down to communication, said Fisher.

“If everyone from the CEO down understands why patching is so important and also realizes that the patching is being done in as silent and transparent a manner possible, it’s possible to do an amazing job without overly disturbing the business,” he said. 

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.