Microsoft recently released a record number of patches on Patch Tuesday, which seems to beg the question: With...
the growing amount of malware and its ever increasing ability to find and exploit zero-day flaws, is the patching process sustainable? Are there other ways enterprises can respond to software vulnerabilities than by haphazard patching?
The relationship between malware and patches is based on more than just the number of patches. While the number of patches and the frequency of the patching cycle is intended to thwart as many exploits as possible, the sheer volume of patches does make it significantly more difficult to keep up with patching for all of an enterprise's applications, which, in turn, makes it easier for malware to infect systems.
There is also a difference between zero-day flaws -- which are unpatched and initially have no workarounds -- and unpatched vulnerabilities where the vendor or the community has developed workarounds to protect systems.
That said, the patching process can be sustainable as long as you plan for comprehensive patching. You can also minimize the number of necessary patches by only installing essential software, using thin-clients where applications run off of a server and are centrally patched, and hardening endpoints, among other methods. Many of these methods can also be used to minimize the risk from zero-day exploits.
Patching is not the only option enterprises have for minimizing the risks posed by software vulnerabilities. Organizations can isolate systems from the network and maintain good physical security to minimize attacks; they can also use software or operating systems that are less prone to attack, or even choose different software to use on the same platform. Choosing different software that featured security in the software development life cycle could still provide comparable functionality to the vulnerable software, but with more security controls in place to reduce the risk of getting exploited. For example, if you need to use PDF files, you could use an alternative PDF reader like Foxit. The number of zero-day exploits illustrates the current state of software security and its current ineffectiveness at educating developers about and getting them to use secure software development practices. Enterprises could thoroughly investigate systems before they are deployed to understand the software or hardware development life cycle, and maturity of the company or project to ensure it matches the expectations of the enterprise.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.