How would you prioritize the need to update Cisco routers? For instance, a recent patch release addressed a flaw...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
that could enable denial-of-service attacks. Since a worst-case scenario wouldn't involve a malicious code execution, is there less urgency in applying this type of update?
Ask the Expert
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
It's my opinion that if there's an issue with a device and the vendor has taken the time to remediate the vulnerability with a patch, it should be applied. Although there are times when certain patches don't need to be applied right away, they should all be considered for production in a timely manner.
For those who have experienced a denial-of-service (DoS) attack, this might be a prudent patch to install with a high level of urgency. On the other hand, those who don't see DoS attacks as a significant concern or have multiple layers of security in place might decide to wait, since it might not be worth the downtime or potential disruption to business activities.
Remember, it's always important to pursue sound risk management principles in the context of patch management. Perhaps the most important way to limit patching risk is by testing patches in a QA environment before pushing out to production devices. I personally wouldn't want to patch something that wasn't first tested in a lab to consider potential production issues, especially any device running Cisco IOS and is likely crucial to the functionality of the overall enterprise network. Not wanting to patch something because you don't think the vulnerability will affect your company, however, is a mindset that needs to be altered.
If you're a company that has to uphold regulatory compliance standards, there might be times when you're being mandated to apply patches; if the company is that far behind, this patch is probably worth considering.
If you're not going to administer this patch, there's a chance that there are more that are also not on the radar to get patched. This can lead to a slippery slope of complacency. A convenient method to remedy this situation is to create a policy that updates these types of patches on a recurring basis -- say every month -- making sure to review them if they've had issues first. This way, you can knock out a few first and not have to be the first trying out this patch, and yet still have it update.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Matthew Pascucci
A new version of the Ursnif Trojan uses mouse movements to bypass security efforts by beating sandbox detection. Expert Matthew Pascucci explains how...continue reading
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci ...continue reading
Explore the differences of public versus private bug bounty programs, as well as the benefits of each one. Expert Mathew Pascucci explains the risk ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.