The 2015 Verizon Data Breach Investigation Report (DBIR) has been published. If you are at all interested in information security and the current state of data breaches, you should give it a quick read. Over the next few postings, we’ll point out some of the highlights from the report.
First up, system patching. The DBIR report shows that 99% of all exploits used to compromise systems were greater than 1 year old and had patches available. Sorry folks, there is simply no excuse for allowing systems to go more than a year without patching them against critical vulnerabilities. I’m not advocating for the “patch it within 48 hours” camp here but how about 48 days. Given the report, even 48 weeks would work.
Let’s face it, cyber attacks are not going away. Think of it like this. Patching is to information security what vaccinations are to public health. By being vaccinated, not only do you reduce the chance you’ll contract a specific disease, you ensure you’re not a carrier and will not pass it along to others. When we patch our systems, we ensure they will not be compromised by a particular threat and used to compromise others in the process.
We need to implement strong patch management policies and procedures. The best of intentions are just that, intentions. If we truly care about information security, a defined and repeatable process must be used to identify vulnerabilities and implement the appropriate patch. Only then can we say we are serious about information security and working to eliminate data breaches.