Connect with us

Hi, what are you looking for?



Prioritizing Patch Management Critical to Security

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

Patch management – two words that are vital to cybersecurity, but that rarely generate enough attention.

That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.

“One of the biggest challenges on enterprise networks is knowing the state of all the things you own,” said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. “Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed.”

Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.

“Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded,” he said. “The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities.”

The sheer number of patches that get released makes it difficult for enterprises to keep up, Fisher noted.

“It’s not just Microsoft Patch Tuesday anymore,” he said. “All of the vendors from Adobe to Zotac are producing patch updates for their software and hardware. Each of these patches needs to be evaluated and assessed for how it should be prioritized for deployment. The challenge that most enterprises have is that there is no prioritization so everything from the mundane to the most dangerous all gets the same treatment.”

Enterprises should begin prioritizing patch efforts based on the risk particular vulnerabilities pose to critical assets, as well as their exploitability and age, said Eric Cowperthwaite, vice president of advanced security and strategy at Core Security. Organizations should also adopt a maturity model for threat and vulnerability management, he said.

Advertisement. Scroll to continue reading.

“In general, you will probably have to accept that you can’t try to patch every single vulnerability,” he said. “Instead, focus on the critical assets that are most important to the organization. Eliminate vulnerabilities that put those critical assets at risk.

Prioritizing vulnerabilities might require consolidating multiple vulnerability scanner feeds and analyzing issues based on known exploits, as well as simulating potential attack paths through the IT infrastructure, he added.

External information sources such as US-CERT TA15-119A – which has the top 30 attack vulnerabilities – can also be good sources of information, noted Wolfgang Kandek, CTO of Qualys. Once the top 30 are knocked off, focus on bugs that are known to have exploits, he advised.

“Attackers prefer environments where vulnerabilities stay unpatched for months or years at a time, allowing them to use their well tested exploit codes which have undergone significant QA over the years,” Kandek told SecurityWeek. “New exploits tend to be more temperamental, often crashing the target and alerting the user and IT departments.”

Beyond technology, improving the patch management process comes down to communication, said Fisher.

“If everyone from the CEO down understands why patching is so important and also realizes that the patching is being done in as silent and transparent a manner possible, it’s possible to do an amazing job without overly disturbing the business,” he said. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.