How would you prioritize the need to update Cisco routers? For instance, a recent patch release addressed a flaw...
that could enable denial-of-service attacks. Since a worst-case scenario wouldn't involve a malicious code execution, is there less urgency in applying this type of update?
Ask the Expert
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
It's my opinion that if there's an issue with a device and the vendor has taken the time to remediate the vulnerability with a patch, it should be applied. Although there are times when certain patches don't need to be applied right away, they should all be considered for production in a timely manner.
For those who have experienced a denial-of-service (DoS) attack, this might be a prudent patch to install with a high level of urgency. On the other hand, those who don't see DoS attacks as a significant concern or have multiple layers of security in place might decide to wait, since it might not be worth the downtime or potential disruption to business activities.
Remember, it's always important to pursue sound risk management principles in the context of patch management. Perhaps the most important way to limit patching risk is by testing patches in a QA environment before pushing out to production devices. I personally wouldn't want to patch something that wasn't first tested in a lab to consider potential production issues, especially any device running Cisco IOS and is likely crucial to the functionality of the overall enterprise network. Not wanting to patch something because you don't think the vulnerability will affect your company, however, is a mindset that needs to be altered.
If you're a company that has to uphold regulatory compliance standards, there might be times when you're being mandated to apply patches; if the company is that far behind, this patch is probably worth considering.
If you're not going to administer this patch, there's a chance that there are more that are also not on the radar to get patched. This can lead to a slippery slope of complacency. A convenient method to remedy this situation is to create a policy that updates these types of patches on a recurring basis -- say every month -- making sure to review them if they've had issues first. This way, you can knock out a few first and not have to be the first trying out this patch, and yet still have it update.
Dig Deeper on Network Security: Tools, Products, Software
Related Q&A from Matthew Pascucci
The difference between a GRE tunnel and an IPsec tunnel is a commonly discussed topic, but which is more secure? Expert Matthew Pascucci explains ...continue reading
Microsoft's fuzzing as a service cloud initiative, called Project Springfield, can make a significant difference to software security. Expert Matthew...continue reading
A cloud collaboration app can be a useful tool for enterprises, but they should be thoroughly vetted before use. Expert Matthew Pascucci discusses ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.