Apart from keeping servers and endpoints secure, IT teams in enterprises also make sure that day-to-day business operations run smoothly. With this in mind, IT groups often delay installing security updates once software vendors release them for several reasons. For one, applying patches often require restarts for mission critical servers and at times these may require services to go offline. Tests and actual deployment on patches may also take up to 30 days or more because IT teams also need to research on the effects of these patches.
Ultimately, the need to avoid business disruption in order to meet SLAs and reduce operation costs can force IT teams in charge of security to deprioritize patch management. In short, operational concerns and compliance mandates tend to prevail over security.
As a result, this introduces windows of exposure leading to these security risks:
- Zero-day exploits: exploits that leverage vulnerabilities before vendor announcement and patch release
- “Buggy” or incomplete vendor patch: flawed patch released by software vendor to fix a vulnerability
- In-the-wild exploit: cybercriminals often use exploits as an infection vector or delivery mechanism