Patch management: It’s a thankless job, but someone has to do it. Sending out the email requesting that users leave their computers on so that updates and patches can be deployed may be met with mass dissent, but that dissent may save your organization’s data in the long run.
The 2015 HP Cyber Risk Report, which analyzed 2014’s threat and vulnerability behaviors, found that organizations are neglecting patch management. As a result, older vulnerabilities are given a place to roost and cause havoc later. SC Magazine reporter Adam Greenberg describes report findings in his latest article, as follows:
Forty-four percent of known breaches were possible due to vulnerabilities identified years ago. Accounting for 33 percent of identified exploit samples in 2014 is CVE-2010-2568, a popular Microsoft Windows vulnerability, says Jewel Timpe, senior manager of threat research at HP Security Research. Similarly, vulnerabilities and bugs in Adobe Reader/Acrobat, Oracle Java, and Microsoft Office — dating back as early as 2009 — made the top ten in the report.
“Our biggest message here is that we have got to start learning from our past,” Timpe said, going on to add, “The best patch in the world won’t help your software if you don’t apply it.”
Patch management is a challenge for organizations because it is expensive and resource intensive, she said, adding that launching new applications may negatively affect existing infrastructure and could even result in regression in other software – meaning previously patched vulnerabilities are possibly reintroduced.
Another significant issue noted in the report is server misconfigurations.
“This year we saw the bulk of them are really misconfigurations that are allowing unnecessary access to files and directories that they should not be allowing access to,” Timpe said. “These configurations are giving adversaries a new way to get in.”
Penetration testing, coupled with internal and external analyses of configurations, can help in identifying issues.
In 2015, Timpe said she expected to see more open source vulnerabilities, more SCADA attacks, and more of a focus on infrastructure. Additionally, she said that attackers will continue to have success by exploiting older bugs.
IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.