MailGuard Sep 17, 2024 9:43:21 AM 6 MIN READ

Unpatched KEVs Are a Tick, Tick, Ticking Time Bomb

Software updates and a robust patch management program are critical to keep businesses safe. With every unpatched vulnerability a ticking time bomb sitting underneath the business, it’s even more worrying to read that according to the Verizon 2024 Data Breach Investigations Report (DBIR), “it takes 55 days to remediate 50%” of CISA Known Exploited Vulnerabilities (KEVs) once patches are available.” For further context, a Ponemon report found that 60% of data breach victims revealed that they had an unpatched known vulnerability.

CISA backs up concerns about the importance of a good patching routine, saying that, “New vulnerabilities are continually emerging, but the best defense against attackers exploiting unpatched vulnerabilities is simple: keep your software up to date.”

CISA offers these four best practices:

1. Enable automatic software updates whenever possible, to ensure software updates are installed as quickly as possible.
2. Do not use unsupported end-of-life software.
3. Always visit vendor sites directly rather than clicking on advertisements or email links, and
4. Avoid software updates while using untrusted networks.

But as partners, you’re better placed than most to attest that it’s never quite that simple.

The Verizon DBIR report states that:

“By doing a survival analysis of vulnerability management data and focusing on the vulnerabilities in the CISA Known Exploited Vulnerabilities (KEV) catalog, we found that it takes around 55 days to remediate 50% of those critical vulnerabilities once their patches are available... The patching doesn’t seem to start picking up until after the 30-day mark, and by the end of a whole year, around 8% of them are still open.”

Here's a chart with the Verizon data showing the time taken to remediate vulnerabilities:

Verizon chart

Source: Verizon 2024 Data Breach Investigations Report – ‘Overall Survival Probability’

The DBIR report goes on to say:

“If you look at the distribution of when vulnerabilities have their first scan seen in internet honeypots, for a Common Vulnerabilities and Exposures (CVE) registered vulnerability in the CISA KEV is five days. On the other hand, the median time for non-CISA KEV vulnerabilities sits at 68 days.”

verizon-scans

Source: Verizon 2024 Data Breach Investigations Report – ‘Days Until First Scan

 

So, what should businesses be doing?

1. Create a patch management policy for the business

Develop a patch management policy that outlines the criteria for what, when and where patches will be implemented, plus patching schedules, routines and plans for alerts and other processes when things don’t go to plan.

2. Maintain a detailed inventory of all software and hardware

Capture the details of all of the applications that your business relies upon, and those that require regular review and maintenance. This process should naturally lead to a consolidation of your resources and exposure points, where different applications and software are performing the same function, adding to the effort required to keep users and assets safe.

3. Categorise and prioritise patches based on levels of risk

The FTC suggests prioritising security software, operating systems, internet browsers and internet facing apps and assets, but ultimately all assets need to be maintained to keep the business safe.

4. Keep an eye out for vendor patch notifications and update announcements

Regularly review manual software updates and patch announcements. Don’t just review on “Patch Tuesday” when Microsoft, Adobe, Oracle and other major vendors release major patches. Instead, understand that patches and vulnerabilities can emerge at any time, so regular review and monitoring is essential.

5. Automate! Automate! Automate!

There is no excuse for not automating patch management to ensure that patches are quickly applied to mitigate risks and reduce the drag on organisational resources.

6. Expect the unexpected

Despite best intentions, the best laid plans are prone to exceptions and unexpected failures, so assume breach at all times. Minimise exposure to the internet for critical assets and limit user access. And even so, expect that the unexpected is inevitable, and be prepared to pivot to mitigate danger.

7. Test patches before deploying

At times patches will fail potentially creating further exposure, so wherever possible especially for major patches, attempt to test patches in a controlled environment to avoid complications.

8. Have a backup

Assuming that things don’t always go to plan, have a backup in place for data and software to enable restoration when needed.

9. Patch ASAP

In line with your patch management policies and prioritisation, apply patches as soon as possible to minimise the business's window of exposure.

10. Keep a Record of New Patches

Document when and where patches are deployed to assist teams in their duties, protecting assets and data, and in response and review of incidents.

The importance of an effective patch management program is a key reason why many businesses should reach out to you as a partner to help to boost their cyber resilience. And, while the absence of patching software or installing updates is one of the key attractions for a cloud or SaaS solution like MailGuard, not every service that a business implements is so fortunate. Updates are a fact of life, so make sure your customers are prepared accordingly with robust routines and a healthy respect for the dangers that are lurking on the periphery waiting for businesses to drop their guard.

Keeping Businesses Safe and Secure

Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.

No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.   

MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your customers today to ensure they’re prepared and get in touch with our team to discuss fortifying your customer’s cyber resilience.

Talk to us

MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993

We’re on Facebook, Twitter and LinkedIn.

Keep Informed with Weekly Updates