Opinion
FUD Watch | Patch Tuesday Panic? No Thanks
Are security vendors right to bang the alarm bell every Patch Tuesday? Yes. But only to a point.
By Bill Brenner, Senior Editor
My IT sources usually don't understand why vendors are yelling at them to patch immediately. For the reason described above, they can't rush the process. Meanwhile, they are not too worried about fresh flaw exploits because they have a multi-layered array of security tools and policies to keep out any malware that may target the latest Microsoft holes while the patches are being tested and tweaked.
This begs the question: Are security vendors right to bang the alarm bell with a hammer whenever patches are released for a major application or operating system?
Yes - to a point.
While most of the security pros I deal with are diligent in the practice of defense-in-depth, many others are not as protected as they should be. Many studies, including the just-released Verizon Business report on data breaches, show that the attacks that succeed are often the simple ones that slither through gaping network holes that could have easily been closed with available patches and other security tools.
Among the findings, Verizon said nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place. Among other things, the report noted, companies usually find out after a breach that it could have been prevented simply by applying patches that have been available for a long time, sometimes years.
When findings like that emerge, it's easy to see why some security researchers feel the need to cry doom and gloom.
At the same time, vendors often make too much of the prospect that attackers are cooking up massive exploits the second those patches flow down the pipeline.
Attackers have launched significant malware outbreaks on the heels of a Microsoft patch release in the past, one example being the Zotob attacks that hit many companies within a week of the August 2005 Patch Tuesday release. Even then, the scope of the assault was overblown and the damage would have been minimized if not for the fact that those affected were running Windows 2000 machines with missing patches.
In the last couple years, however, big attacks right after Patch Tuesday have been rare. Why write new malware when you can keep flinging the same old stuff through cracks that should have been sealed with a patch that came out in 2003?
The bottom line is this: If you run a tight IT ship and have a layered security program, you should ignore the monthly vendor cries (you already do anyway). But if youâ¬"re not guarding your infrastructure with basic defenses such as firewalls, antivirus and patch management procedures, you should start paying more attention.
Other stories by Bill Brenner
Microsoft
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
