High-profile cybersecurity incidents continue to result from the simple mistake of leaving a known vulnerability unpatched. To understand how organizations are keeping up with vulnerabilities, Tripwire partnered with Dimensional Research to survey 406 IT security professionals about their patching processes. Findings revealed that the majority (78 percent) fix all vulnerabilities detected on their network within 30 days of discovery, with 40 percent saying it usually takes less than 15 days. The survey also found that when a new vulnerability is discovered, only 15 percent believe it is unacceptable to wait any time at all for a patch to be installed on their systems once it has been released, while nearly half (46 percent) say they would be prepared to wait no more than seven days. Tim Erlin, vice president of product management and strategy at Tripwire, reminds us of the dangers of organizations waiting to patch:
Attackers will always go for the low-hanging fruit, the proverbial 'unlocked door,' over a more complex method of compromise. As long as these older vulnerabilities are present, they'll continue to be exploited. Organizations should really be aiming to fix vulnerabilities on their systems as rapidly as is feasible. Any gap in applying a patch to a vulnerability provides an opportunity for hackers to access systems and steal confidential data.
Survey respondents were split on the need to prioritize people vs. technology resources to mitigate today's cyberattacks; 54 percent believe that an investment in people is needed most, while 46 percent said technology. Vulnerability management begins with asset discovery, or creating an inventory of all known hardware and software installed on their networks. This this difficult to do manually at large organizations. However, the survey revealed that only 17 percent of organizations have automated tools which enable them to identify the locations, department and other critical details about unauthorized hardware and software changes on their network. Erlin added:
If you don’t know what devices are on your network, you’re setting yourself up to fail in terms of securing it. For some organisations, doing this manually is just unrealistic and too challenging, which is why automated technology solutions exist to address this issue. Those who can identify these changes and additions to their networks within minutes will be in a much more comfortable position when it comes to security.
Companies can best prioritize risk in their IT environments by investing in a solution that can discover all their hardware and software for them. They must also deploy a project that provides a suitable metric when it comes to vulnerability and risk management. Fortunately for them, Tripwire has developed such an objective metric and incorporated it into its Tripwire IP360 solution. To learn more about Tripwire's vulnerability scoring system, please download this paper.