Over the last year, we’ve observed some of the largest cyberattacks in history, with the WannaCry and Equifax breaches being two notable examples that made headline news. As more and more cyberattacks are reported, so too do the various aspects that define the overall security posture of a company’s infrastructure.
But perhaps, the single-most important cyber security question to ask is:
How much effort are businesses putting into identifying and mitigating the exploitation risk of software vulnerabilities through effective security patch management?
Research shows that unpatched software remains one of the most prevalent factors for cyberattacks targeting organisations. Data also indicates that existing vulnerabilities, rather than new ones, were being exploited, resulting in losses and disruptions.
Interestingly, despite WannaCry’s impact, a month later, it seemed that many organisations hadn’t bothered to apply the correct patches, as Petya/NotPetya used the same exploit to spread across infected networks, demonstrating the extent to which poor patching processes are commonplace.
Security patches close known vulnerabilities, which hackers can easily exploit to gain access to machines and systems for multiple malicious purposes, such as stealing personal information, confidential files, and industrial secrets, or hijacking systems for ransom.
Let’s take a look at the statistics...
In Verizon’s 2018 Data Breach Investigation Report, we see that, yet again, cybercriminals are still finding success with the same tried-and-tested techniques, and their victims are still making the same mistakes.
The report found that 99% of the exploited vulnerabilities in the study were already more than 12 months old, with a published software security patch, meaning they were well-known not only to hackers but also to software producers, IT administrators, and anyone interested in the subject long before they were exploited.
In their Top Security Predictions, Gartner suggests that by 2020:
When we focus specifically on the most critical software vulnerabilities, the percentage of available patches is even higher.
This means that it is possible to close the vast majority of known software vulnerabilities with a patch, and avoid many of the big breach news headlines we see today.
Many organisations struggle with patch management, failing to take essential cyber security precautions, which leaves them open to cyberattacks.
There are different reasons for this…
... and which are the most critical
Organisations typically use hundreds of non-Microsoft applications from many different vendors, such as Adobe. Microsoft has ‘Patch Tuesday’, so users receive information systematically packaged and ready to deploy; however, few other vendors have a systematic approach to informing users of patch availability.
Even when the availability of patches is communicated, it can still be difficult to identify the most critical patches.
Inventories are often incomplete and unreliable. Machines check in and check out of networks without getting patches. Misuse of admin rights allows unauthorised applications to be installed on corporate devices. Organisations often have legacy IT systems that are no longer supported and sometimes forgotten about, giving cybercriminals an open door to their network.
Although organisations can significantly reduce risk by patching quickly, correctly, and across all assets, doing so can be complicated, time-consuming, and error-prone; this can lead to organisations neglecting patches, with costly consequences.
Take back control. Close the doors to cyber threats.
Flexera’s vulnerability and patch management platform, Software Vulnerability Manager (previously Corporate Software Inspector), provides a scalable solution for mid-sized and large enterprises. It uses vulnerability intelligence from Secunia Research to prioritise the patch status of over 20,000+ applications—more than anyone else—seamlessly integrating with WSUS and SCCM to patch all your non-Microsoft applications and systems.