Why Patching Is Not Enough

You aren't alone. Over 250 million records were stolen in 70 major data loss incidents in just the last year. All of these compromised networks had enterprise grade patching programs in place.

Yet every one of them fell victim to a KNOWN vulnerability, meaning that the weakness that let a hacker in was well described and discussed in the public domain.

The lesson is that patching is not enough. Apparently neither was the enterprise grade firewall, antivirus program and IPS/IDS program most of these 70 companies had in place.

Patching Strengths and Weaknesses

Patching is vital. However, it has its costs and as the frequency of patch publication increases, a point may be reached where existing resources are not enough to keep up.

For example, Microsoft alone releases over 300 patches a year. A typical organization needs less than 30. Installing patches just because they were published means increasing downtime and taking the risk that a patch might break existing functionality – all of that unnecessarily. Additionally, many serious network vulnerabilities are not poor coding issues but rather configuration issues.

You may have every Microsoft patch in place, but if you are also running Linux, Mac, Cisco and Oracle devices in your network then patching as recommended by just the major vendors is not enough. Installing every patch from every vendor is an administrative headache to say the least.

Also keep in mind that most networks have accumulated applications and code that are no longer in constant use but are kept around, just in case. If these are not actively patched, then these offer an easy avenue for entry to your system.

Patching Headache? Here's Your Aspirin:

The term 'back door' is appropriate. The most elaborate home security system will not keep a thief from attempting to walk into a wide open back door. The known network vulnerabilities on your system today are that wide open door. Instead of adding more layers of alarms, how about just finding and closing the door?

Vulnerability scanning is the vital fourth pillar of your security strategy. Firewalls, antivirus and IPS/IDS react to attack while Vulnerability Assessment and Management will remove the incentive to attack at all.

Since nearly four nines (99.99%) of all data breaches are accomplished using known vulnerabilities, here's the best security strategy: Find your actual, current and real vulnerabilities and put your security resources to work eliminating them. Then, when your network has no known vulnerabilities, you can confidently put your attention on the issues that will actually move your company forward!

Find and handle your network vulnerabilities with AVDS, your web server vulnerabilities with WSSA and your application vulnerabilities using beSTORM.