Patches aren’t just for decoration

June 7, 2019

EXECUTIVE SUMMARY:

In the era when counterculture was cool, patches adorned every item of wearable clothing. In the age of tech, patches are still a core piece of the culture, but in an entirely different way.

Hunting down the latest vulnerabilities and exploits, determined hackers attempt to gain footholds in vulnerable computer systems prior to the release of a patch, or before organizations catch on to the often mission-critical nature of installing a patch.

Two years ago, WannaCry exploited the EternalBlue vulnerability prior to when most organizations bothered to patch. As a direct result, a massive number of systems across the globe experienced a ransomware encryption within a matter of hours.

As exemplified by their recent directive to patch all vulnerabilities marked as “critical” within 15 days, (rather than 30), the US Department of Homeland Security (DHS) acknowledges that patching must be taken seriously. They are not just for decoration. One expert asserts that, “80% of intrusions take place on things that are not patched.”

But for a handful of systems, a more cautious approach may be required, and patching might not be the optimal choice. When legacy architecture enters the picture, sometimes patching isn’t worth it. Computers that are 20 years old may be sufficiently fragile that they may not withstand the shock of an update.

“Your patching cycle will be driven by the risks on your estate, in some cases, the risk of disruption from installing it can be greater [than patching itself],” stated an expert speaking at Infosecurity Europe, 2019.

Taking the time to make an assessment and develop a clear cyber security strategy is imperative. In order to determine whether a patch, an overhaul, or something else is needed, businesses must survey each piece of infrastructure and think critically about what’s elemental, what calculated risks they are worthwhile, and how to prioritize accordingly.

Composing a cyber security strategy is a tricky business, but one that could determine the future of your own.

Get the full story at ZDNet.