This month’s Patch Tuesday addresses some serious vulnerabilities, one which is actively being exploited, but it’s unlikely businesses will apply the patches immediately.
Businesses are typically slow in applying patches, yet I’d bet vulnerabilities are still the most common reason organisations are compromised. Security standards, including the UK Cyber Essentials standard, encourages patches to be deployed within 14 days of release for both Operating Systems and Applications, but it’s not uncommon for organisations to take months to get their patches deployed.
I think when major ones come out such as Log4j and Print Nightmare, there is a stronger effort by teams to apply patches, but then with Wannacry what we saw was a retrospective response when it was compromised in the wild a few months after Microsoft had released the patch and nobody was really interested until it happened.
That’s why companies should be diligent in approving and deploying patches on a weekly basis, if possible, because you don’t know what the next vulnerability is going to be and whether it could have been mitigated by consistent and diligent patching.
It’s also something that IT teams need to get stricter on with their users – there is always friction with users not wanting to be interrupted during the day, working late at night, not leaving computers on during patching windows, getting frustrated when their computer reboots the morning after the day they were supposed to leave devices on for patching. But in my opinion, this is something IT teams should be unwilling to compromise on, but they maybe just need to better communicate its importance to other departments.
However, hopefully the upcoming Auto Patch service will address this challenge.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics