CIO, September 16, 2015, Warren Neuburger’s second installment featured another quote from our own Joshua Crumbaugh, Director of Penetration Testing. Josh cautioned enterprise organizations on the importance of keeping up with patch management. He also highlighted the difficulty of contending with vulnerability exploits unknown to the respective vendor.
The annual Verizon Data Breach Investigations Report (DBIR) has consistently stressed the importance of timely patch management. The 2015 report observed that of the analyzed data breaches of 2014 that 99.9% of the vulnerabilities exploited were more than a year old. In other words, patches were available but not implemented.
Independent researchers such as Tangible Security typically work with the respective vendor and a trusted third party. The intent is to ensure that a patch is released from the vendor when the vulnerability is reported to the public. The time between vulnerability report and patch release must be small. The 2015 DBIR also reported finding exploits for 50% of the vulnerabilities within two weeks of their publication.
For enterprise personnel seeking a reliable predictor as to when they need to have a patch implemented, the report asserted that the best line drawn corresponds to when a metasploit exploit becomes available.
The report did provide patch management personnel some good news. Fewer than 1% of data breaches were due to a smartphone or tablet compromise. While this lasts, patch management personnel can prioritize their finite resources on patching other assets first.
Clearly, exploits of vulnerabilities unknown to their respective vendors (zero-days) can breach organizations with perfect patch management. Signature based enterprise defenses seldom stop such attacks. Consequently, the enterprise must be highly resilient to contend with zero-day attacks, which requires them to operate at a high security maturity level.
Original article in CIO magazine, by Warren Neuburger, "What Keeps IT Up at Night Part 1 - The Human Element"
- Tangible Labs
- Contact Us