Patching is an obligatory best practice, but that doesn't mean organizations do it right, on time, or even at all for some systems deemed low-risk.
Take the U.S. Department of Energy, which this week was called out for poor patching practices. According to the DoE Inspector General's office, 15 different DoE locations were found running desktop systems, network systems, and network devices running apps that hadn't been patched for known vulnerabilities. About 46 percent of the desktop systems were running operating systems or apps without the most current patches, for example, according to the IG's report.
"These applications were missing security patches for known vulnerabilities that had been released more than 3 months prior to our testing," the report (PDF) says.
But the federal agency is far from alone in leaving systems unpatched: Many organizations struggle to get a handle on the vulnerabilities in their environments. Recent research from Secunia suggests that enterprises could realize big-time security improvements if they prioritize their patches by the severity of the vulnerability instead of the prevalence of the application.
Marc Maiffret, CTO and co-founder of eEye Digital Security, says it comes down to not knowing what you don't know. "Companies ... don't have the visibility, so they don't have a handle on where the weaknesses are in their environment. Or they don't know where to start, and they give up," Maiffret says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.