Microsoft recently released a record number of patches on Patch Tuesday, which seems to beg the question: With the growing amount of malware and its ever increasing ability to find and exploit zero-day flaws, is the patching process sustainable? Are there other ways enterprises can respond to software vulnerabilities than by haphazard patching?
The relationship between malware and patches is based on more than just the number of patches. While the number of patches and the frequency of the patching cycle is intended to thwart as many exploits as possible, the sheer volume of patches does make it significantly more difficult to keep up with patching for all of an enterprise's applications, which, in turn, makes it easier for malware to infect systems.
There is also a difference between zero-day flaws -- which are unpatched and initially have no workarounds -- and unpatched vulnerabilities where the vendor or the community has developed workarounds to protect systems.
That said, the patching process can be sustainable as long as you plan for comprehensive patching. You can also minimize the number of necessary patches by only installing essential software, using thin-clients where applications run off of a server and are centrally patched, and hardening endpoints, among other methods. Many of these methods can also be used to minimize the risk from zero-day exploits.
Patching is not the only option enterprises have for minimizing the risks posed by software vulnerabilities. Organizations can isolate systems from the network and maintain good physical security to minimize attacks; they can also use software or operating systems that are less prone to attack, or even choose different software to use on the same platform. Choosing different software that featured security in the software development life cycle could still provide comparable functionality to the vulnerable software, but with more security controls in place to reduce the risk of getting exploited. For example, if you need to use PDF files, you could use an alternative PDF reader like Foxit. The number of zero-day exploits illustrates the current state of software security and its current ineffectiveness at educating developers about and getting them to use secure software development practices. Enterprises could thoroughly investigate systems before they are deployed to understand the software or hardware development life cycle, and maturity of the company or project to ensure it matches the expectations of the enterprise.
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading