Over the last year, we’ve observed some of the largest cyberattacks in history, with the WannaCry and Equifax breaches being two notable examples that made headline news. As more and more cyberattacks are reported, so too do the various aspects that define the overall security posture of a company’s infrastructure.
But perhaps, the single-most important cyber security question to ask is:
How much effort are businesses putting into identifying and mitigating the exploitation risk of software vulnerabilities through effective security patch management?
Research shows that unpatched software remains one of the most prevalent factors for cyberattacks targeting organisations. Data also indicates that existing vulnerabilities, rather than new ones, were being exploited, resulting in losses and disruptions.
Interestingly, despite WannaCry’s impact, a month later, it seemed that many organisations hadn’t bothered to apply the correct patches, as Petya/NotPetya used the same exploit to spread across infected networks, demonstrating the extent to which poor patching processes are commonplace.
Security patches close known vulnerabilities, which hackers can easily exploit to gain access to machines and systems for multiple malicious purposes, such as stealing personal information, confidential files, and industrial secrets, or hijacking systems for ransom.
So, Why Is Security Patch Management So Important?
Let’s take a look at the statistics...
In Verizon’s 2018 Data Breach Investigation Report, we see that, yet again, cybercriminals are still finding success with the same tried-and-tested techniques, and their victims are still making the same mistakes.
The report found that 99% of the exploited vulnerabilities in the study were already more than 12 months old, with a published software security patch, meaning they were well-known not only to hackers but also to software producers, IT administrators, and anyone interested in the subject long before they were exploited.
Software Vulnerability Reports
In their Top Security Predictions, Gartner suggests that by 2020:
- 99% of the vulnerabilities exploited will continue to be the ones known to security and IT professionals for at least a year.
- Zero-day vulnerabilities (a vulnerability that hackers actively exploit before it’s publicly known) will play a role in less than 0.1% of attacks.
At the same time, Flexera Software’s annual Software Vulnerability Review 2018 showed that 86% of the vulnerabilities reported in 2017 had a patch available when they became public.
Addressing Critical Software Vulnerabilities
When we focus specifically on the most critical software vulnerabilities, the percentage of available patches is even higher.
This means that it is possible to close the vast majority of known software vulnerabilities with a patch, and avoid many of the big breach news headlines we see today.
So, Why Do Organisations Fail to Patch Before Vulnerabilities Are Exploited?
Many organisations struggle with patch management, failing to take essential cyber security precautions, which leaves them open to cyberattacks.
There are different reasons for this…
1. Not Knowing That Security Patches Are Available...
... and which are the most critical
Organisations typically use hundreds of non-Microsoft applications from many different vendors, such as Adobe. Microsoft has ‘Patch Tuesday’, so users receive information systematically packaged and ready to deploy; however, few other vendors have a systematic approach to informing users of patch availability.
Even when the availability of patches is communicated, it can still be difficult to identify the most critical patches.
2. Discovering Where Applications Are in Your Environment
Inventories are often incomplete and unreliable. Machines check in and check out of networks without getting patches. Misuse of admin rights allows unauthorised applications to be installed on corporate devices. Organisations often have legacy IT systems that are no longer supported and sometimes forgotten about, giving cybercriminals an open door to their network.
3. Packaging, Testing and Deploying Require Time and Predictable Processes
Although organisations can significantly reduce risk by patching quickly, correctly, and across all assets, doing so can be complicated, time-consuming, and error-prone; this can lead to organisations neglecting patches, with costly consequences.
What’s the Simple Answer?
Take back control. Close the doors to cyber threats.
Flexera’s vulnerability and patch management platform, Software Vulnerability Manager (previously Corporate Software Inspector), provides a scalable solution for mid-sized and large enterprises. It uses vulnerability intelligence from Secunia Research to prioritise the patch status of over 20,000+ applications—more than anyone else—seamlessly integrating with WSUS and SCCM to patch all your non-Microsoft applications and systems.