Some people might think warnings about IT security threats are overblown. That’s how they justify their “it will never happen to me” mentality.
But what about the Equifax breach last year that exposed the personal data of nearly half of the U.S. population? What about the WannaCry ransomware attack that affected more than 200,000 computers in 150 countries? What about the 60 percent of small companies that never recover from cyberattacks and are out of business within six months?
Warnings about cyber threats are hardly exaggerated.
Many threats access networks and disrupt operations by exploiting software vulnerabilities that haven’t been patched. In fact, many security experts believe better patch management could have prevented the Equifax and WannaCry breaches.
People tend to associate patching with Microsoft, as Patch Tuesday has been a major monthly event since 2003. However, patches aren’t limited to Microsoft. Software vendors such as Adobe and Oracle, along with Google and other browser developers, issue patches on a regular basis to address vulnerabilities.
Tenable recently released a report on the 20 most prevalent vulnerabilities that could impact up to 30 percent of organizations if left unpatched. The vulnerability that could have the widest impact and severity is a privilege escalation security flaw in the .NET framework of Microsoft apps. This issue could potentially affect almost one-third of organizations.
At number two on the list is a buffer overflow bug in Google Chrome that could cause a system to crash if a hacker can trick a user into opening a malicious website. Also in the top 20 are cryptographic flaws in SSL 2.0 and 3.0, multiple issues with earlier versions of Adobe Flash Player that can lead to the execution of malicious code, and a bug in Oracle Java SE that could allow a hacker to take over the system.
While these top 20 vulnerabilities represent the greatest threats, there are many others. Just about any device on the network — including printers, fax machines, routers and more — has software or firmware that will need to be patched. Patch management is critical to reducing risk, so organizations must develop a strategy and make someone responsible for executing that strategy.
It’s important to keep in mind, however, that not all patches are helpful. Patches often cause unexpected problems, particularly in today’s complex IT environment. You need to assess the risk created by a vulnerability, understand the patch being deployed, test the patch in an isolated environment, and evaluate the risk before deployment.
By taking a risk-based approach to patch management, you can determine if the risk of applying the patch outweighs the risk of the vulnerability itself. For example, if the vulnerability creates only a slight risk, whereas the patch might cause downtime, you can delay installing the patch or apply a workaround.
SSD provides comprehensive maintenance, management and monitoring of your IT environment as part of our Assurance managed services program. Let us show you how we can implement a risk-based approach to patch management that keeps your network protected without disrupting business operations.