Prioritizing Patch Management Critical to Security

Tuesday, June 09, 2015

Brian Prince


Patch management - two words that are vital to cybersecurity, but that rarely generate enough attention.

That lack of attention can cost. Recent stats from the Verizon Data Breach report showed that many of the most exploited vulnerabilities in 2014 were nearly a decade old, and some were even more ancient than that. Additional numbers from the NTT Group 2015 Global Threat Intelligence Report revealed that 76 percent of vulnerabilities they observed on enterprise networks in 2014 were two years old or more.

"One of the biggest challenges on enterprise networks is knowing the state of all the things you own," said Martin Fisher, manager of IT security at Northside Hospital in Atlanta. "Enterprise networks are tens of thousands of devices and any of them can be the weak link in the chain. The technology to robustly manage and patch devices has not kept up with the vast quantities of new and exciting equipment coming out each year. That means that sometimes a vulnerability can go for a long time before it gets addressed."

Unfortunately, many companies do a poor job identifying all their computing assets and understanding their value to the business, noted Jon Heimerl, senior security strategist at Solutionary, a NTT Group security company.

"Many organizations have older systems which are getting ignored as new, cool or more critical applications and services are fielded," he said. "The longer we maintain legacy applications, or even less important applications and systems in our environments, the more likely those systems are to fall off a list of systems to be patched. It is important that organizations truly understand the systems which make up their operational environment, and the potential impact that each one of those systems can have on organizational security. This issue can be mitigated by performing thorough asset analysis and vulnerability tests to find available systems and associated open vulnerabilities."

Read the rest of this article on 

Budgets Enterprise Security Policy Security Awareness Security Training Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.