Beruflich Dokumente
Kultur Dokumente
COMBATING
PATCH FATIGUE
ARE WE OVERWHELMING IT TO THE DETRIMENT OF ENTERPRISE SECURITY?
CONTRIBUTING FACTORS:
RECOGNIZING VULNERABILITIES
When discussing security-related
updates, it’s important to remember the
goal of patches: remediating a vulner-
ability rather than fixing a functional
bug or adding new features. For those
on the security side, that may seem like FIG.
uu 12b Does your IT staff have difficulty understanding the difference
a straightforward concept, but there’s between applying a patch and resolving a vulnerability?
often a disconnect between security and
operations teams on exactly what needs
to be done. This disconnect is one of A great example in the difficulty present- The bulletin laid out details on how
the major contributing factors of Patch ed when attempting to understand the to take the additional steps required
Fatigue. difference between applying a patch and to truly mitigate the vulnerability. In
resolving a vulnerability is MS15-1249, many cases, this additional step was not
Figure 12a shows the responses to the the December 2015 Internet Explorer taken, leaving systems in a vulnerable
survey question, “Does your IT staff cumulative update that resolved 30 state. This meant that companies that
have difficulties understanding the dif- CVEs. In most cases, Windows admins verify with Vulnerability Management
ference between applying a patch and expect to install the update and be done, products rather than Patch Management
resolving a vulnerability?” If the answer but one CVE in this bulletin contained a products left their internal teams with
is yes, then you can represent the data as special note. the additional overhead of verifying if
illustrated in Figure 12b. systems were truly vulnerable. This may
FIG.
uu 18
FIG.
uu 19
FIG.
uu 20
FIG.
uu 22
FIG.
uu 24