A recent report from tCell that analyzed more than 316 million security incidents shares key data on the most common real-world attacks targeting in-production web applications. One statistic that caught my eye is that it took an average of 38 days for businesses to patch known web app vulnerabilities (regardless of severity level), versus a pretty similar 34 days to patch the most critical issues.
How long does it take your organization to patch critical vulnerabilities in operating systems, networks, web applications or other applications? Many organizations are challenged to keep up with the sheer volume of patches that are required across all their systems.
For example, in our vulnerability assessment practice, we’re still finding the Windows Server vulnerability that the WannaCry ransomware attack has been exploiting since back in May 2017. And not infrequently we encounter equally major vulnerabilities to even older exploits that remain unpatched.
Often these unpatched systems just “slipped through the cracks” despite the client having a patch management program in place. An important part of patch management is verifying that all systems were patched.
This is where periodic vulnerability assessments can come in very handy. They’re a great way to find those one or two systems that didn’t get patched when you thought they did. Otherwise, these systems can remain wide open to attack for long periods and present significant risk. Hackers use automated tools to probe the web 24×7 for just these kinds of “open windows,” and it’s only a matter of time before they find yours.
Patch management isn’t rocket science: you put a plan in place, follow it, verify that it’s working, and keep on it. But that can be easier said than done!
Contact Pivot Point Security to make sure your network and systems are as secure as you think you are, and to help prioritize your risk remediation efforts. Our network security experts have helped hundreds of companies of all sizes get the maximum value from their vulnerability assessment efforts.
For more information:
- Patch Verification: The Missing Link
- WannaCry Still Active – Are Your Windows Systems Patched?
- Vulnerability Patch Management is Not the Same as Vulnerability Management