Apart from keeping servers and endpoints secure, IT teams in enterprises also make sure that day-to-day business operations run smoothly. With this in mind, IT groups often delay installing security updates once software vendors release them for several reasons. For one, applying patches often require restarts for mission critical servers and at times these may require services to go offline. Tests and actual deployment on patches may also take up to 30 days or more because IT teams also need to research on the effects of these patches.
Ultimately, the need to avoid business disruption in order to meet SLAs and reduce operation costs can force IT teams in charge of security to deprioritize patch management. In short, operational concerns and compliance mandates tend to prevail over security.
As a result, this introduces windows of exposure leading to these security risks:
- Zero-day exploits: exploits that leverage vulnerabilities before vendor announcement and patch release
- “Buggy” or incomplete vendor patch: flawed patch released by software vendor to fix a vulnerability
- In-the-wild exploit: cybercriminals often use exploits as an infection vector or delivery mechanism
When left unpatched, vulnerable endpoints and servers become open to attacks like denial of service (DOS) and data breaches, which can lead to data loss and business disruption. For instance, a proof-of-concept exploit that took advantage of Oracle Database TNS Listener Poison Attack Vulnerability can compromise and steal data from affected servers.
In our primer, Monitoring Vulnerabilities: Are your Servers Exploit-Proof? and infographic, Dodging a Compromise: A Peek at Exposure Gaps, we tackle how delayed patching due to the need to sustain applications uptime and lessen server downtime could open the network to a plethora of security risks. In addition, we also discussed here the importance of virtual patching that enables IT administrators to manage the deployment of patches without affecting regular operations. Through virtual patching, emergency patches are dealt with and servers are protected from exploits leveraging unpatched vulnerabilities.