Press "Enter" to skip to content

Why patch delays happen and two new tools from CISA

CompTIA’s State of Cybersecurity report — Three in 10 survey respondents said they are “completely satisfied” with their organization’s approach to cybersecurity, while 27% feel the general state of cybersecurity is “improving dramatically.”  And 75% have found that more investment is required for zero trust than for their previous cybersecurity initiatives.

Asking why organizations are slow to patch, TechRepublic looks at the reasons.    Trustwave examined high-profile vulnerabilities from the past year. The report found that despite the high severity of some of the security flaws that popped up, more than 50% of the servers were unprotected weeks and even months after an update had been released.  So why?  Quoting the article:

First, patching a system is not always as simple as just installing an update. Some systems are highly complex and mission critical. As such, they may require several levels of testing and approval from different teams to make sure that a given patch won’t create more problems than it solves.

Second, not all organizations have the staff or personnel available to focus exclusively on patch management. Some simply don’t have the budget to set up a dedicated team, which means certain staffers have to juggle multiple roles and tasks.

Third, some organizations lack the right process or strategy for fully testing, installing and deploying security patches.

And it’s not just vulnerabilities – misconfigurations are an issue too.   Researchers at Palo Alto did a red team exercise and found ways to elevate privledges because of misconfigurations.   

Of course, that’s a problem.  The Director of Cybersecurity at the NSA said this week that nearly every country on the planet now has a program to exploit digital vulnerabilities. 

Not all bad news from the government – CISA has released a new tool for assessing the vulnerability to insider threats and devise their own defense plans against such risks.   You’re looking for the Insider Risk Mitigation Self-Assessment Tool.      There’s also new guidance on securing VPNs

Why do we care?

Use those resources for sure – that’s what they are there for.   

I’m going to talk about that patching stuff for a minute.   The discussion is always risk management, and it’s not the same for all systems.    The impact of a failed patch on an endpoint is a lot different from the impact on a backend or cloud system.    Leaders of the UK’s cyber security center advocate for auto patching, because for many systems, like endpoints, it’s worth it.    My take is that the old math on risk is wrong – in a cloud-first world, downtime is measured a lot differently. 

I’d be remiss if I didn’t observe that configuration management is where this is all going, too.