Beware of the recovery time frame when patching vulnerabilities

The release of a security patch is usually welcomed by cyber criminals because it’s a sign that a vulnerability has been discovered and that there’s time to exploit it before the patch is installed. The time frame between the patch’s release announcement and its installation by users is called the recovery time frame. According to Cisco’s 2017 Annual Cybersecurity Report, the length of this period depends on:

  • how often and regularly vendors release updates
  • how disruptive the announcement is
  • how easy it is to opt out of reminders
  • how often the software is used

If patches are released regularly, the recovery time frame is shorter. But the more often announcements are made, the more often users opt out of reminders and forget to install updates.

What you risk by not patching as soon as possible

Based on over 300,000 application scans, Veracode’s State of Software Security Report 2016 identified information leakage as the top category of vulnerability, affecting 72% of all apps analysed. This vulnerability consists of flaws that allow the application to reveal sensitive data about itself and its users. This vulnerability was found affecting the below percentage of web applications in each industry:

  • Technology: 74.4%
  • Government: 69.3%
  • Retail and hospitality: 67%
  • Financial services: 65.7%
  • Healthcare: 65.6%

How to discover if your web applications are vulnerable

You can wait for cyber criminals to find flaws in your web apps and steal your data, or you can hire an ethical hacker to find your vulnerabilities first. A web application penetration test will identify any vulnerabilities in your web application and recommend a course of action to mitigate issues and improve your overall security.

Don’t forget to patch your hardware too

Patches and updates don’t just apply to software, but to hardware as well. Bugs and vulnerabilities can be found in it just as they are in applications, so the firmware needs regular updating too. Because this can be difficult, however, it is often overlooked. A scan of the network will often reveal that the appliances used to control, monitor and secure the network are running outdated and unsupported firmware.

Furthermore, it is important for compliance with the PCI DSS that both the applications and the hardware are updated if they are part of the in-scope environment.

Contact us on +44 (0)845 070 1750 or email servicecentre@itgovernance.co.uk for further information.

2 Comments

  1. Rafael Davila 22nd February 2017
    • Marika Samarati 22nd February 2017