Organizations could reduce risk significantly by changing patching priorities, according to Secunia
Most enterprises prioritize their security patches by which applications they use most. If most of the users in the enterprise are running Microsoft Word, for example, then that application will move to the head of the line for patching.
In a blog and whitepaper issued this week, however, researchers at Secunia suggested that enterprises could achieve significant security improvements if they prioritize their patches by the severity of the vulnerability instead of the prevalence of the application.
"Many organizations prioritize their patches by selecting the most prevalent or most attacked applications," says Thomas Kristensen, CTO of Secunia. "This is a flawed approach. You should look at criticality and number of vulnerabilities, and use that as your filter."
Research reveals that an 80 percent reduction in risk can be achieved by patching and identifying either the 12 most risky programs or the 37 most prevalent programs, the whitepaper says.
Most organizations still take too long to patch their applications, according to Secunia. "There is a lot of talk about zero-day attacks, but the truth is that most cybercriminals don’t need a zero-day attack in order to penetrate enterprise defenses, because there is a significant amount of time available to do an exploit between the disclosure of the vulnerability and the deployment of the patch," Kristensen observes.
"Organizations hold the power to patch 65 percent of vulnerabilities on the day of disclosure firmly in their hands," the whitepaper says.
Cybercriminals are less interested in attacking widely used applications from Microsoft than they used to be because Microsoft has become faster in identifying vulnerabilities and quicker to deploy patches for its applications, Kristensen says. "Now, non-Microsoft programs that are patched with less frequency and deployed more slowly are a more attractive target," he says.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024