Welcome to the sequel of “Getting Off the Patch” where we explore the point of patching for fun and profit. We are continuing with a part 2 because so much was left unsaid in part 1, like: “So what’s the deal, are you supposed to patch or aren’t you?” and “No, seriously, you gonna tell us?” and “Dude, quit it already, nobody likes you!”
In part 1 we discussed a lot of cool stuff like how patching may just be a form of brand recognition marketing. You should have read it. And we ended with how patching is a security tactic and not an Administrative control. So let’s pick up from there….
If patching is a tactic towards a particular security strategy, how can that be bad? I never said it was all bad. There are reasons where patching makes sense just like there are times when it makes sense to have that third diazepam pill, park diagonally across two parking spots, or hide in a dumpster – and not coincidentally they all involve raccoons.
For example, one overall business strategy is to have perfectly working operations to optimize returns. But optimized returns rely on freedom from costly efforts or unexpected losses (security), and freedom from unpleasant surprises (trust) that force you to drop what you’re doing to deal with it. To achieve this, you can pick many tactics and just one of them is patching. So, consider this:
Patching may seem to be one of the cheaper tactics towards security since most patches are free and are no-brainers to install. But in what scenarios is it still cheaper after you count in the time of patching, testing, or not testing and fixing all the other software that breaks? Perhaps we (Read more...)
*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Pete Herzog. Read the original post at: https://threatvector.cylance.com/en_us/home/security-getting-off-the-patch-the-shining-hope.html