The average time from the discovery of a vulnerability to a patch being issued is, for well-supported software, thirty days. In a best-case scenario, cybercriminals have a whole month to make the most of the exploit.
Of course, it’s not always a best-case scenario. For example, in 2016, an SAP authentication vulnerability was patched that had first been reported way back in 2012. Any hacker looking to use this vulnerability to gain access to a system had the best part of four years to do so. And some business practices mean that there is much longer between a vulnerability being discovered and a patch being released—Oracle rolls all of its patches into a quarterly Critical Patch update, meaning there are potentially three months from a patch being created until it’s rolled out.
The issues aren’t only on the software providers’ side—in fact, the biggest problems can be found with the users and businesses who fail to install patches. This isn’t down to shoddy practices or a lack of care, but simply because applying a patch requires a lot of effort. A survey commissioned by security firm Bromium has shown that over half of businesses didn’t have the internal resources to implement regular patches, and that the average cost of applying a patch was around $20,000 per patch.
Oracle has attempted to hurry its users into applying patches ASAP, adding to its patch notes: “…Attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.” But businesses can’t simply apply the patch and hope for the best. There needs to be a fully-developed patch management process, using an accurate inventory of an IT estate so that nothing is missed, and with a comprehensive testing procedure that ensures that nothing will break following a patch.
The cost and disruption of applying a patch means that an average of 100-120 days passes between a patch being available and a patch being applied. This schedule allows cybercriminals to slow down and take it easy—there’s likely to be around five months from when a vulnerability is disclosed until the average business fixes it. There’s plenty of time to gain access, steal data, and cause havoc.
The long periods of time between the discovery of vulnerabilities and the fix being applied—wherever the blame lies—only helps those in the cybercrime business by leaving critical systems open to attack.
The post Are ERP patches regular enough to be value for money? appeared first on Statii News.
source http://news.statii.co.uk/are-erp-patches-regular-enough-to-be-value-for-money/
No comments:
Post a Comment