Better security needs 'more informed patching'

If companies patch the most popular 37 Windows programs, they could cut their risk by 80 percent, according to a report released on Wednesday by vulnerability management and information firm Secunia.

In its report, the company argues that businesses cannot afford to patch every flaw and so must focus on the applications that pose the most threat -- in this case, those with the highly or extremely critical vulnerabilities. Companies who focus on patching the most risky applications -- as measured by the criticality of vulnerabilities -- can reduce their risk more than businesses that focus on the just the most popular programs, according to the report.

Also see "The Patch Tuesday survival guide"

"The question is what programs to patch, by just patching a few programs, you can have great effect," says Stefan Frei, research analyst director at Secunia and an author of the report. "The problem is that the programs you have to patch are dynamic. It is like chasing a moving target."

Secunia used data from its Personal Software Inspector (PSI), a free vulnerability and patch scanner that runs on 3 million Windows systems. The company found that the number of vulnerabilities affecting the typical endpoint jumped to 729 in 2010, from 225 in 2007.

Using the top-200 programs present on the systems, the company posed the question of which strategy would have the greatest impact on its measurement of risk -- a sum of the number of vulnerabilities weighted by their criticality. Secunia found that the most popular programs often have a large number of significant flaws, but not always.

"If I put myself in the shoes of the cyber criminal," says Frei, "I would go after the program with the largest market share, and then I would focus on those that are the easiest to exploit."

Also see "How to compare patch management software"

However, other security researchers focus on a different measure of risk and that suggests a different strategy. For example, security consultant Daniel Guido of iSec Partners analyzed popular exploit kits available in 2009 and 2010, finding that the kits only included exploits for 27 of the approximately 8,000 vulnerabilities reported during those two years. Focusing on only those vulnerabilities can make a big difference in a company's security posture, he argues.

"There are major applications that are very difficult to attack and have many vulnerabilities identified in them," he says. "Chrome is a great example; Adobe Reader is a great example; even Microsoft products, for as long as they've been using SDL (Secure Development Lifecycle) have a large number of vulnerabilities found in there in every patch cycle."

Yet, depending on how hard the vulnerabilities are to find and how hard they are to exploit, impact how many security researchers -- both legitimate and malicious -- focus on finding and exploiting vulnerabilities in those products. Such market forces push researchers to focus on a few highly productive -- in terms of vulnerabilities -- programs.

For example, in his presentation in April, Guido found that turning on data-execution protection (DEP) would stop 14 of the 19 memory corruption vulnerabilities, while barring Java from running in the Internet zone would prevent 11 of the 15 kits from executing Java exploits.

Both researchers agree that patching is a good defensive strategy, in conjunction with other defensive technologies.

"Everybody does antivirus protection but we have to be aware of the limitation of those techniques. With a patch you essentially stop this arms race," Secuinia's Frei argues. "Once you install the patch, no matter how many variants the cybercriminals push out, you are safe."

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Windows securityapplicationssecuniasecuritypatch managementsoftwareData Protection | Network Securitydata protectionPatch Tuesdayvulnerability management

More about Adobe SystemsetworkMicrosoftPSISDLSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts