Not Patching is the Pathway to Sure Compromise

A surefire means to achieve a compromise of your systems is to operate equipment which has long ago hit its end-of-life (Windows XP boxes for example), or ignore the need to patch and update the software and firmware of those devices and apps which are quietly humming along within your ecosystem. Many have chosen to forego the level of effort needed to close vulnerabilities for any number of reasons, including the operational expense of taking off-line active production devices.

Those who delay are, unfortunately, betting on the inattentiveness of the cybercriminal, the unscrupulous competitor, and possibly a nation state or two.


Sadly yes, and more troubling is this appears to be a systemic problem across all industries, which has been well documented over the years. For example, in the 2015 Microsoft Security Intelligence Report, the authors revealed which identified (and remedied) exploit was most prevalent during the reporting period. The exploits, not surprisingly, were from years (not months) prior.

In the 2017 Verizon Data Breach Investigations Report (DBIR), evidence is presented which indicates the aforementioned phenomena across multiple sectors remains. Their study focused on two data points with respect to patching: time to patch, and not addressed. Not a single sector achieved 100 percent, with education and finance sectors lagging behind IT, manufacturing, and healthcare by a large margin, clearly indicative of a lack of understanding on the need to promptly close identified vulnerabilities.

If addressing all is impossible, at least tackle those which may inflict the greatest pain immediately and then remediate the remainder systematically, with all vulnerabilities clearly highlighted as open. The DBIR suggests, “You should ground your process (patching) around the exploitability of the findings you are addressing.”

Are entities still using Windows XP boxes? WannaCry? Yes, you probably do if you are one of (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Christopher Burgess. Read the original post at: Cylance Blog

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

christopher-burgess has 21 posts and counting.See all posts by christopher-burgess