PA Consulting’s cybersecurity expert, Sebastian Hope, comments on security pre-advisories and how companies can improve enterprise security.
The article discusses how patching is a fact of life for IT administrators and although it is essential to maintain security, keeping up with vendors’ patch release cycles is a challenge.
According to research by Ivanti, an IT asset and services management vendor, 71% of IT professionals find patching to be complex and time consuming. Worse still, from a security point of view, 62% said patching often has to give way to other priorities.
Yet despite the hassle caused by patching, some vendors are now starting to alert sysadmins to pending security releases, via pre-advisories.
The article goes on to say that the risk of pre-advisories giving more ammunition to bad actors appears obvious: obtain a vulnerability before there is a patch, and it can be exploited. If vendors give advanced warning through pre-advisories, it could be argued that risk is higher still.
Fortunately, most security researchers feel that the risk is small, or at least small enough to be outweighed by the benefits.
As important, though, is the need to plan for software updates and maintenance, to head off security vulnerabilities as well as costs associated with aging systems.
“The biggest issue is getting the budget, resource and the political will to upgrade systems to current operating systems, let alone patching them routinely,” says Sebastian.
He goes on to say: “Greater advance notice of the need for patching is not the real issue. What is needed is a commitment from the organization to resourcing the upgrades.”