Patching Gets More and More Complicated but is Critical for Managing Risk

Robinson+Cole Data Privacy + Security Insider
Contact

Patching vulnerabilities has always been challenging, but these days, it is getting more and more complicated as manufacturers try to stay abreast of zero-day vulnerabilities and issue patches as quickly as they can.

Microsoft is well-known for its Patch Tuesday, which is a monthly roll-out of the patches for vulnerabilities it has become aware of in the past month. This past Tuesday, October 13, 2020, was Patch Tuesday for the month of October. It was not the largest release that Microsoft has had on Patch Tuesday this year, with a mere 87 patches. That is down from more than 100 patches released every month between March and September of 2020. In September, Patch Tuesday produced 129 patches.

When IT professionals receive 87 patches from one manufacturer in a month, it puts in perspective just how complicated and hard it is to keep up with all of the patches received from every software vendor and manufacturing companies are using in day to day operations. It could be a full-time job.

The failure to patch a vulnerability in a timely manner has been the cause of well-known security incidents and data breaches, which magnified the importance of timely patching. However, the number of patches continues to grow exponentially, making it difficult for IT professionals to keep up with the alerts. It is hard to imagine how they don’t become a little numb to the issuance of another patch.

When issuing the patches on Patch Tuesday, Microsoft categorizes the patches into “critical,” “important” and “moderate” in severity so that IT professionals can prioritize the patches when applying them to systems. They also provide helpful information about whether the vulnerabilities are known to be actively exploited by criminals at the time of the release. This month, 11 of the 87 patches were categorized as critical, 75 were categorized as important, and one was classified as moderate. Six of the vulnerabilities were publicly known at the time of the release, so were potentially available to criminals before the release.

According to reports by security experts, the recently released patches IT professionals may wish to concentrate on first this month are the ones that address vulnerabilities in remote code execution or RCEs, which allow attackers access to a system without user action—like clicking on a phishing email. Once in the system, the attacker can obtain privileges, start a ransomware attack or steal data.

Although patching gets more and more complicated, it is important for IT systems to continue to prioritize them and stay on top of security alerts from vendors regarding vulnerabilities. It is easy to become numb to the number and frequency of the issuance of patches, but it is critical to minimizing risk.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.