Vulnerability Review For 2013
There were 1,137 discovered vulnerabilities in 2012; however 84% of these vulnerabilities had patches available on the day of disclosure; according to Secunia's Vulnerability Review for 2013. On a positive note this means that, with timely patching, organizations and private users have the possibility to remediate the majority of vulnerabilities – the root cause of security issues. However, to balance the picture, Secunia found that 16% of vulnerabilities in 2012 were without patches for longer than the first day of disclosure. Possible reasons for such delays include lack of vendor resources, uncoordinated releases, zero-days or vulnerabilities in End-of-Life products.
With vulnerabilities, timing is crucial therefore what is a best practice approach for patching software?
Frameworks, such as the 'SANS Institute's '20 Critical Controls' can support organizations with this challenge. Implementing all controls in their entirety may not be feasible for many organizations, therefore in the context of vulnerability management, SANS outlines a set of 'first five' quick wins – e.g. 'first five' #3 & #4: "Implement automated patching tools and processes that ensure security patches are installed within 48 hours of their release for both applications and for operating system software." Implementing a 48 hour timeline for applying all security patches could be challenging. Alternatively, concrete results in risk reduction can be achieved by prioritizing, patching and targeting the 48 hour threshold for the most critical patches (i.e. those representing the greatest risk of exploitation).
A best practice patch management solution can offer full support to address the challenges of visibility, configuration, assessment, prioritization and mitigation of threats. Here is an example of an implementation model with a focus on technology for 'first five' #3 and #4 – Patching tools and processes:
The alternative manual approach to patching is extremely complex, unreliable and eats into your team’s time and resources.