Happy 20th birthday Patch Tuesday, but why do we still have Exploit Wednesday?
This month has quietly marked an important anniversary: Patch Tuesday is 20 years old. Back on 14 October 2003, Microsoft published the first set of bundled vulnerability fixes on a set date every month. The idea? To make patch deployment more straightforward to manage for organisations. The question? Why are organisations still so slow to patch?
That’s especially true because others, such as Adobe and Oracle, soon followed. And for good reason: accumulating these fixes on a set date, the second Tuesday of every month, allows IT departments to plan ahead while reducing costs and improving security.
Unfortunately, two decades on, the vast majority of businesses have not implemented patches for critical vulnerabilities within 24 hours, according to the results of a new threat mindset survey from SonicWall.
That 24-hour metric is important because the day after Patch Tuesday is known as Exploit Wednesday. For a very obvious reason: it’s when threat actors exploit published vulnerabilities before they’re patched, before the attack window closes.
Worrying security disconnect
The SonicWall Threat Mindset Survey unsurprisingly reflects the broader business concern with ransomware. Indeed, ransomware was the primary concern of 83% of those questioned, closely followed by phishing, including highly targeted spear-phishing attacks and encrypted malware.
Yet, despite these concerns, 78% said they don’t patch critical-rated vulnerabilities within that previously mentioned 24-hour window. Meanwhile, 13% will only apply those critical patched “when time allows.”
“Regularly patching is the same as locking your front door; all the other security aspects are redundant if the fundamental line of defence is corrupted,” said Spencer Starkey, EMEA Vice-President at SonicWall. “Before organisations look to address more complex aspects of their security stack, they should first bolster the defences at home.”
Why Patch Tuesday doesn’t solve the problem
Sylvain Cortes, Vice-President of Strategy at Hackuity, agrees that regular patching against vulnerabilities is important, but can see why Patch Tuesday isn’t a magic bullet.
“Patching continues to be a big challenge for many organisations,” said Cortes. “Sprawling IT estates, siloed operations, competing demands between security and operations teams, and a lack of communication, mean that patching becomes a disconnected, painful, and drawn-out process.”
So, what is the answer? The somewhat speckled history of the fix causing further failure rather dictates that patches must be tested before they can be rolled out into a live environment. This, inevitably, causes a delay that leaves the attack window open.
Which is why patch management has become so essential. As Cortes concludes: “With ever increasing numbers of vulnerabilities to manage, taking steps to contextualise and prioritise risks has never been more important.
“Building on the routine practice of patching, organisations must focus on vulnerability prioritisation to hone in on the threats that really matter to their business.”
NEXT UP
Andrew Kay, Director of Systems Engineering APJ at Illumio: “The most worrying development with ransomware is that it has evolved from simply stealing data to impacting IT availability”
Andrew Kay, Director of Systems Engineering APJ at Illumio, has 20 years’ experience helping organisations strengthen their cyber resilience. We interview him as part of our Threats series on cybersecurity.
The imperative of making a career in the data centre industry attractive
Adelle Desouza addresses the problem of an ageing workforce in the data centre industry as well as how to make it an attractive career for new generations
I don’t care who hacked the Ministry of Defence, I do care how they did it
We may never know who hacked the Ministry of Defence, says Davey Winder, but who cares? It’s how they did it that has real-life implications