Enterprise Patch Management is Still Causing Confusion

The Tripwire survey was completed on 480 IT security experts and asked questions about enterprise patch management policies at their groups.

The results indicate that IT staff are struggling to ensure that all systems are kept in a fully patched state. 67% of respondents said that at least a portion of the time, they are not certain about which patches need to be applied to certain systems.

The complexity of enterprise patch management is an issue For instance, a patch may be released to address Adobe Flash vulnerabilities, but it comes packaged with Google Chrome updates. It addresses Flash weaknesses in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash weaknesses in other browsers. 86% of respondents said that issues such as this mean they find it difficult to comprehend the impact of a patch. It is all too simple for security flaws to remain after a patch has been applied.

Patches are made available that address a range of security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability completely. According to Tripwire, “The relationship between patches and vulnerabilities is far more complex than most people think.”

There is also serious confusion between patches and software upgrades. When it comes to tackling security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap between the two. Because of this, organizations have difficulty seeing to it that all software is properly patched and fully up to date.

The survey showed that 50% of enterprises do not realize the difference between applying patches and remediating security flaws. 7% of respondents didn’t realize there was a difference between applying a patch and addressing a security vulnerability, while 43% said their staff had trouble getting to grips with the difference.

Patches are now being released regularly and many enterprises find it difficult to tackle the sheer number of patches being released. Before the survey was completed, Tripwire expected only a small number of organizations to be experiencing “patch fatigue.” However, it is clear from the results of the survey that this is a widespread issue. 50% of respondents said that patches are now being made available at an unmanageable rate.

Enterprise patch management may be one of the most fundamental security measures, but effective patch management is anything but easy.

 

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone