WannaCry whatever. Not that I am keyword trawling, but this recent Windows XP/NSA/North Korea/ransomware/bitcoin/OMG drama made me think about good old vulnerability management again – especially given that it is our current research project.
If you look at social media, you’ll see TWO opposite voices about the situation:
- “OMG those idiots use Windows XP and/or don’t patch modern Windows, let the negligent bastards die! Die!! Die!!!”
- “You morons never worked in the real world; business and IT don’t let us patch for months. Just you shut up! You don’t understand nothing about how real organizations function!”
Naturally, a lot of hilarity is generated in the process (and, don’t get me wrong – we DO need that in our industry!), but not a lot of useful guidance. In our now-classic vulnerability management guidance, we have this visual:
It makes sense, and it is useful – but it skirts the 3rd option: mitigation. So, if the organizations cannot fix the issue and cannot accept the risk, why don’t they mitigate more? Generally, because mitigation (some call it “virtual patching”) requires controls and controls cost money and/or time (to understand, deploy, manage, update, tune, etc). As a sidenote, I also met a few people who equate “accept the risk” with “magically wish it to never realize” rather than use the real meaning: deep in your heart, be totally OK if the risk manifests itself (as in “when you drive the red light, you are OK with being fined $500 or killed on the spot”).
So, we would probably adjust the visual to something like this:
|Patch the issue||Fix it for good, never have to deal with it||Incur the risk of application conflicts and downtime.
|Ignore the issue||Reduce risk of update going bad.
No work needed
|You may get hacked, lose data, clients, etc… the usual 🙂|
|Mitigate the issue||Can be done faster than patching and sometimes without system owner participation||Spending time and/or money on controls|
So, how do you mitigate? How do you make …ahem … Windows XP safe and secure? How to you deal with unpatchable Android devices? Insecure IoT crap? Or with business that does not allow you to take the system down for patching even in the face of near-certainty of a damaging intrusion?
Posts related to the same research project on patch management:
- Cannot Patch? Compensate, Mitigate, Terminate!
- What is Your Minimum Time To Patch or “Patch Sound Barrier”
- Patch Management – NOT A Solved Problem!
- Next Research Project: From Big Data Analytics to … Patching
- On Nebulous Security Policies (featuring “we patch all systems within 30 days” boondoggle)
- All posts related to patching
- All posts related to vulnerability management.