Microsoft recently released a record number of patches on Patch Tuesday, which seems to beg the question: With...
the growing amount of malware and its ever increasing ability to find and exploit zero-day flaws, is the patching process sustainable? Are there other ways enterprises can respond to software vulnerabilities than by haphazard patching?
The relationship between malware and patches is based on more than just the number of patches. While the number of patches and the frequency of the patching cycle is intended to thwart as many exploits as possible, the sheer volume of patches does make it significantly more difficult to keep up with patching for all of an enterprise's applications, which, in turn, makes it easier for malware to infect systems.
There is also a difference between zero-day flaws -- which are unpatched and initially have no workarounds -- and unpatched vulnerabilities where the vendor or the community has developed workarounds to protect systems.
That said, the patching process can be sustainable as long as you plan for comprehensive patching. You can also minimize the number of necessary patches by only installing essential software, using thin-clients where applications run off of a server and are centrally patched, and hardening endpoints, among other methods. Many of these methods can also be used to minimize the risk from zero-day exploits.
Patching is not the only option enterprises have for minimizing the risks posed by software vulnerabilities. Organizations can isolate systems from the network and maintain good physical security to minimize attacks; they can also use software or operating systems that are less prone to attack, or even choose different software to use on the same platform. Choosing different software that featured security in the software development life cycle could still provide comparable functionality to the vulnerable software, but with more security controls in place to reduce the risk of getting exploited. For example, if you need to use PDF files, you could use an alternative PDF reader like Foxit. The number of zero-day exploits illustrates the current state of software security and its current ineffectiveness at educating developers about and getting them to use secure software development practices. Enterprises could thoroughly investigate systems before they are deployed to understand the software or hardware development life cycle, and maturity of the company or project to ensure it matches the expectations of the enterprise.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.