On a recent webinar, looking at the trends in the vulnerability landscape throughout 2016, Kasper Lindgaard, Director of Secunia Research @Flexera pointed to some of the trends which hadn’t changed and that we do not expect to change as we enter 2017: the number of vulnerabilities continue to rise every year. At the same time, the percentage of vulnerabilities that have a patch available at the time they become public continue to be high – around 85%. Another study, published by Verizon in 2016 shows that, on average, first exploitation of vulnerabilities happen 30 days after the vulnerability becomes public.
Also, the recent risks associated with the rise of Internet of Things (IoT), and the security of Open Source Software (OSS) as well as third party software components start to show in the trends, as observed in the shift in the impact of attacks, suggests Kasper.
Additionally majority of attacks are happening targeting applications and old, well known vulnerabilities. What all of this data suggests is that most vulnerabilities can be remediated before hackers can ramp up their activities
The logical conclusion is: applying security related patches before exploitation is possible and is critical to strengthen the security of devices and the data they store.
While I know that there are many challenges to improve patching activities, and that many organizations struggle to overcome those challenges, I also believe that a shift in mindset is required to effectively look patching with a new perspective and quickly get to a better baseline.
In the age of cloud and mobility, the old network security practices are no longer enough to ensure the integrity of devices and data protection. For that reason, keeping devices and the applications they run up-to-date is a vital layer of security that can’t be neglected.
No matter whether you are a producer of software or a user – enterprise or private – 2017 is a year to take patching seriously and make it part of your strategy to protect you devices and your data: Use the knowledge of the vulnerability landscape, focus on patches that have a security risk and introduce a new perspective to your patch management practices.
Let’s be more secure in 2017 than we were in 2016! See you in the New Year.