Articles about vulnerability patching

Proper patch management is an important component of cybersecurity hygiene. If organizations don’t apply fixes to software bugs in a timely manner, they risk exposing themselves to a variety of threats. But scrambling to fix bugs identified by the Common Vulnerabilities and Exposures (CVE) program is not a complete solution. Organizations need to be doing much more.

The CVE and CVSS programs are essential components of information security management systems (ISMS) at most organizations, but they clearly have issues. The CVE program offers a reference for publicly known vulnerabilities and exposures. CVSS provides a way to capture the main characteristics of a vulnerability and produce a numerical score that reflects its severity. Among the many challenges with these programs, CVSS is not a true indication of the risk a CVE represents to an organization. That’s because it attempts to take the environment into consideration but only has limited success doing so.

Continue reading →

New research, from ICS/OT cybersecurity firm SynSaber, has analyzed over 900 CVEs reported in industrial control systems in the second half of 2022 and finds that 35 percent have no patch or remediation available.

Only 56 percent of the CVEs have been reported by the original equipment manufacturer (OEM), while 43 percent have been submitted by security vendors and independent researchers. A firmware update is required to fix 33 percent.

Continue reading →

Six months after the Log4Shell vulnerability was made known, vulnerable instances remain accessible on the internet and people attempting to exploit them according to the latest Trustwave SpiderLabs Telemetry report.

Using data gathered from the Shodan device search engine, the report shows that as of June 9, 2022, 1,467 instances were vulnerable to Log4Shell. These vulnerable instances are from the Russian Federation, United States, and Germany with 266 (18 percent), 215 (15 percent), and 205 (15 percent) hosts, respectively.

Continue reading →

As businesses continue to produce and switch over to digital products, we see more cyberattacks and software flaws exploited for nefarious purposes. The number of small flaws in software that cause major issues can quickly get out of hand. Machine learning has produced a process known as risk-based vulnerability patching to help avoid this issue.

This article will discuss what a risk-based approach is, the patching processes, solutions to negate the risk of each issue, and a management plan for every part of the process. Sections will be broken down by the type of software and each part of the risk management process.

Continue reading →