‘Thorough’ More Important Than ‘Speed’ in Patch Management, Study Says

Written by Aldrin Brown
April 28, 2016

The 2016 Data Breach Investigations Report also found that phishing continues to be a dominant vector for cyber-attacks.

A steady, methodical approach to identifying and patching network vulnerabilities is more effective than trying to immediately address every component or device as soon as a patch is released.

That was among the recommendations in the Verizon 2016 Data Breach Investigations Report, which was released this week.

The annual analysis found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits in 2015, and that a failure to patch older common vulnerabilities and exposures (CVEs) continues as a dominant factor in cyber-attacks.

“The tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies,” the report states. “Hackers use what works and what works doesn’t seem to change all that often.”

For this reason, cybersecurity best practices call for a regimen that emphasizes eventual, thorough patching, over speed.

“A methodical patch approach that emphasizes consistency and coverage is

more important than expedient patching,” the report says.

The survey also looked at the time from publication of the vulnerability and announcement of a patch, to the first observed successful exploit.

That analysis found that Adobe vulnerabilities are exploited on average just a few days after publication, followed by Microsoft at just over a week.

On the opposite end of the scale, Apple product vulnerabilities were exploited an average of more than 140 days after disclosure, while Mozilla proved most resistant, at more than 200 days.

“This provides us with some general guidelines on which softwared vulnerabilities to prioritize, along with some guidance on time-to-patch targets,” the report said.

The research also acknowledges an “often ignored” security constraint.

“Sometimes you just can’t fix a vulnerability – be it because of a business process, a lack of a patch, or incompatibilities,” the report said.

“At that point, for whatever reason, you may have to live with those residual vulnerabilities,” the document continued. “It’s important to realize that mitigation is often just as useful as remediation – and sometimes it’s your only option.”

Phishing, a social engineering threat vector favored by organized crime syndicates and state actors, again was the dominant method of cyber-attacks.

The data also found that despite increasing warnings, about 30 percent of phishing emails were opened by the target, while 12 percent of targets performed the vital second click of a malicious attachment or link that unleashes the malware into the network.

Very seldom are phishing emails reported to management, the study found.

“Approximately 3 percent of targeted individuals alerted management of a possible phishing email,” the report said.

The researchers recommend use of email filtering, monitoring of outbound traffic for suspicious connections and exfiltration of data, and regular training of employees to recognize phishing activity.

“Also, provide them with a means for reporting these events,” the study suggests. “We recommend a button on their taskbar, but whatever works for you.”

In all, this year’s study tallied 64,199 security incidents, defined as events that compromise the integrity, confidentiality or availability of an information asset.

There were 2,260 of the more-serious security breaches, in which there was a confirmed disclosure of data to an unauthorized party.

Send tips and news to [email protected].