Over the last year we've observed some of the largest cyber attacks in history - WannaCry and Equifax breaches being two examples making headline news. As more and more cyber attacks are reported, so too do the variety of aspects that define the overall security position of a company’s infrastructure.
But perhaps, the single-most important cyber security question to ask is:
How much effort are businesses putting into identifying and mitigating the exploitation risk of software vulnerabilities - through effective security patch management?
Research shows that unpatched software remains one of the most prevalent factors for cyber-attacks targeting organisations. Data also shows that it is the existing (known) vulnerabilities - rather than new ones - which are being exploited, causing losses and disruption.
Interestingly, despite the impact of WannaCry, a month later it seemed that many organisations hadn’t bothered to apply the correct patches, as Petya/NotPetya used the same exploit to spread itself across infected networks, demonstrating the extent to which poor patching processes are commonplace.
Security patches close known vulnerabilities which are easily exploited by hackers to gain access to machines and systems for multiple malicious purposes; such as stealing personal information, stealing confidential files and industrial secrets or hijacking systems for ransom.
So, why is security patch management so important?
Let's take a look at the statistics...
In Verizon’s 2018 Data Breach Investigation Report we see that yet again, cyber criminals are still finding success with the same tried and tested techniques, and their victims are still making the same mistakes.
The report found that 99% of the exploited vulnerabilities in the study were already more that 12 months old, with a published software security patch - meaning they were very well-known not only by hackers but by software producers, IT administrators and anyone interested in the subject long before they were exploited.
Software Vulnerability Reports
In their Top Security Predictions, Gartner suggests that by 2020:
- 99% of the vulnerabilities exploited will continue to be the ones known to security and IT professionals for at least a year.
- Zero-day vulnerabilities (a vulnerability that’s actively exploited by hackers before it’s publicly known) will play a role in less than 0.1% of attacks.
At the same time, the annual Software Vulnerability Review 2018 by Flexera Software showed that 86% of the vulnerabilities reported in 2017 had a patch available at the time they became public.
Addressing critical software vulnerabilities
When we focus specifically on the most critical software vulnerabilities, the percentage of available patches is even higher!
This means that it is possible to close the vast majority of known software vulnerabilities with a patch - and avoid many of the big breach news headlines we see today.
So, why do organisations fail to patch before vulnerabilities are exploited?
Many organisations struggle with patch management, failing to take essential cyber security precautions, leaving themselves open to cyber attack
There are different reasons for this…
1. Not knowing that security patches are available...
... and which are most are the most critical
Organisations typically use hundreds of non-Microsoft applications, from many different vendors, such as Adobe. Microsoft has ‘Patch Tuesday’, so users get information systematically packaged, ready to deploy. However few other vendors have such a systematic approach to inform users of the availability of patches.
Even when the availability of patches is communicated, it can still be difficult to identify the most critical patches.
2. Discovering where applications are in your environment
Inventories are often incomplete and unreliable. Machines check-in and check-out of networks without getting patches. Misuse of admin rights allows unauthorised applications to be installed on corporate devices. Organisations often have legacy IT systems, which are no longer supported, sometimes forgotten about - giving cyber criminals an open door to your network.
3. Packaging, testing and deploying requires time and predictable processes
Although organisations can significantly reduce risk by patching quickly, correctly and across all assets – doing so can be complicated, time consuming and error prone – this can lead to organisations neglecting patches with costly consequences.
What's the simple answer?
Take back control. Close the doors to cyber threats.
Flexera's vulnerability and patch management platform Software Vulnerability Manager (previously Corporate Software Inspector) provides a scalable solution for mid and large enterprises, using vulnerability intelligence from Secunia Research to prioritise the patch status of over 20,000+ applications - more than anyone else - seamlessly integrating with WSUS and SCCM to patch all your non-Microsoft applications and systems.
Want to learn more?
About Comtact Ltd.
Powered by a dedicated team of software vulnerability specialists, Comtact help give you tools, support and services to intelligently manage your critical software updates. From expert deployment and 24x7x365 support to fully managed 'Patch Management-as-a-Service', Comtact works with many of the UK's leading organisation to to simplify your security vulnerability management.