How would you prioritize the need to update Cisco routers? For instance, a recent patch release addressed a flaw...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
that could enable denial-of-service attacks. Since a worst-case scenario wouldn't involve a malicious code execution, is there less urgency in applying this type of update?
Ask the Expert
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
It's my opinion that if there's an issue with a device and the vendor has taken the time to remediate the vulnerability with a patch, it should be applied. Although there are times when certain patches don't need to be applied right away, they should all be considered for production in a timely manner.
For those who have experienced a denial-of-service (DoS) attack, this might be a prudent patch to install with a high level of urgency. On the other hand, those who don't see DoS attacks as a significant concern or have multiple layers of security in place might decide to wait, since it might not be worth the downtime or potential disruption to business activities.
Remember, it's always important to pursue sound risk management principles in the context of patch management. Perhaps the most important way to limit patching risk is by testing patches in a QA environment before pushing out to production devices. I personally wouldn't want to patch something that wasn't first tested in a lab to consider potential production issues, especially any device running Cisco IOS and is likely crucial to the functionality of the overall enterprise network. Not wanting to patch something because you don't think the vulnerability will affect your company, however, is a mindset that needs to be altered.
If you're a company that has to uphold regulatory compliance standards, there might be times when you're being mandated to apply patches; if the company is that far behind, this patch is probably worth considering.
If you're not going to administer this patch, there's a chance that there are more that are also not on the radar to get patched. This can lead to a slippery slope of complacency. A convenient method to remedy this situation is to create a policy that updates these types of patches on a recurring basis -- say every month -- making sure to review them if they've had issues first. This way, you can knock out a few first and not have to be the first trying out this patch, and yet still have it update.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Matthew Pascucci
Google Cloud KMS is a new encryption key management service available for Google customers. Expert Matthew Pascucci discusses how this service works ...continue reading
Flaws in AirWatch Agent and AirWatch Inbox allowed rooted devices to bypass the software's security measures. Expert Matthew Pascucci explains how ...continue reading
Universal second factor devices can be used to strengthen authentication on major websites such as Facebook. Expert Matthew Pascucci explains how U2F...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.