With the number of vulnerabilities rising, particularly across client-side applications, organizations must implement a robust patch management program, a panel said Thursday at SC World Congress in New York.
Drawing on data culled from 80 million scans of IP addresses, Jason Falciola, technical account manager at vulnerability management firm Qualys, said the half-life of vulnerabilities has remained steady at around 30 days for the past six years.
Half-life refers to the average time between a flaw being disclosed and the time when half of its occurrences have been eradicated in an enterprise. Those statistics, combined with the fact that one security bug arises from every 1,000 lines of code, means organizations are facing an uphill climb, Falciola said.
The risks augment further considering the rise of the commercial exploit business, where individuals can buy toolkits on the black market that guarantee a “five to 30 percent success rate.”
“It really has lowered the bar for entry into this market,” Falciola said.
And while companies have gotten better at patching operating systems, attackers significantly are ramping up their exploits against programs such as Adobe Reader and Microsoft Office.
Falciola’s fellow panelist, Rob Duran, the CISO of Time Inc., is responsible for the security of 20,000 network nodes.
He said he applies a four-phased approach to patching: intelligence monitoring, testing, deployment and verification that the fixes work. In addition,organizations must gain an accurate inventory of their systems, use an automated patch system and develop a strategy for addressing flaws in mobile devices.
Duran said the reality is that businesses will likely always face the need to patch.
“Developers will always write buggy code,” Duran said. “It’s an unfortunate fact.”
One audience member asked Duran how IT should handle unsupported programs to which employees may want access. Duran responded that the department can consider locking down end-user privileges to install programs, but if IT doesn’t restrict installation of these applications, they should take ownership and support them, he said.