Johannesburg – Criminals are always searching for new ways to breach digital systems.
Every year, new types of attacks make the list of the most popular methods, while some old security threats persist.
In fact, two of PurpleSec’s Top Vulnerabilities In 2022 have been around for more than a year.
For instance, 2022’s most significant threat, Log4Shell, surfaced in 2021 and still affects systems a year later, and the Microsoft Office Bug, ranked 6th, has existed for over two decades.
These are just a few examples of persistent digital security attacks, and thousands of other known attacks continue to be used every day to breach systems.
Criminals use various tools to break into computers, but their methods often involve stealing passwords and exploiting system bugs as a loophole to bypass security measures.
Exploits can generally be eliminated by patching them out of existence.
However, in reality, old attacks persist because systems are not patched fast and thoroughly enough.
With so much at stake, why do companies fail to close these gaps?
Lior Arbel, Co-Founder of Security SAAS Provider, Encore, says that “Patching is a complicated issue”.
Arbel explains: “There are several reasons why companies don’t patch, such as the complexity of their systems, the risk involved in patching, or the lack of control over the services they want to patch.
“However, companies must focus on patching by designing patching processes specific to their environments and having up-to-date visibility of their systems.”
The Challenge with Patching
While criminals can use various techniques to break into systems, most of them rely on exploits, which are gaps in systems that uninvited parties use to gain access.
When such a gap becomes publicly known, the vendor company that produces the software creates a patch that closes the gap, and customers apply the patch to their copies of the software.
However, several reasons make patching difficult:
- Patches are risky and can result in productivity losses when complex and integrated systems stay offline due to a patch issue.
- Companies use software built from various components and modules, and they might not know that a module they rely on has a security flaw.
- When companies use Software-as-a-Service, they have no control over the software updates and have to wait for the software’s maker to apply any patches.
- Sometimes, people do not want to patch, either because they think it’s risky or because they find the process inconvenient.
- Companies may lack visibility and the means to identify patching priorities and develop processes to ensure proper patching happens.
Patching systems is essential, but not all systems and patches are critical or necessary.
Instead, companies should establish visibility that will inform patching strategies.
Arbel says: “There should be a process based on understanding, visibility, and prioritization to deal with the most critical patches first.
“Some systems or situations won’t require patching, and some you can delay patching. But some will be critical.
“You also need clarity on when and how to apply a patch.”
Strategic patching is about security mitigations, and companies need to understand how their security environment works and covers different risks to make the right patching choices.
Arbel emphasises that patching is a means to an end, not the end itself, and there are alternative strategies to patching.
Encore has developed a tool that discovers the status of a company’s security systems in near real-time.
This provides detailed and current visibility of the entire integrated security estate, allowing companies to develop real strategic patching processes that go beyond reactive patching and lead to effective security safeguards.
Old security threats persist because companies often lack reliable visibility of their security statuses to develop strategic patching and other security safeguards.
When companies avoid patching, they might attribute it to a patch being too disruptive to their environment or blame the complexity of their systems.
However, in reality, they are sitting in the dark, and the lack of visibility of their entire estate is the first step to creating real strategic patching processes.
Says Arbel: “That’s how you stop old attacks from creating new problems.”
Therefore, companies must prioritize patching by focusing on designing patching processes specific to their environments and having up-to-date visibility of their systems.
With these measures in place, companies can mitigate the risk of cyber threats and protect their systems from exploitation.
Companies need to prioritise patching by designing patching processes specific to their environments and having up-to-date visibility of their systems.
By doing so, they can develop effective security safeguards that go beyond reactive patching and protect their systems from exploitation.
With the constant evolution of cyber threats, it’s essential to understand that patching is just one part of an effective cybersecurity strategy, and companies need to consider other security safeguards to ensure their systems are protected from both old and new cyber threats.