TAGITM Monthly
 

Vulnerabilities, Patch Management, and Your Sanity

Print this Article | Send to Colleague

I have read quite a few articles discussing vulnerabilities and patch management recently. Anyone doing security on a regular basis knows the importance of patching vulnerabilities and the stories of unpatched vulnerabilities leading to system-wide outages or ransomware events are almost as numerous as the stories of Jerry Jones’ ego getting in the way of the Dallas Cowboys. (Sorry Cowboy fans, I have sworn to only speak the truth here)

An article on ITSecurityGuru (May 2024) referenced a study which found 36% of organizations polled reported 3 or more data breaches in a 24-month time frame.  That is staggering and appears to show that certain organizations aren’t able or willing to make the necessary changes to prevent these breaches. Cyentia Institute, a cybersecurity research organization, published its initial study on vulnerabilities and exploits using a scoring system called “Exploit Prediction Scoring System” (EPSS) that is analogous to the CVSS and KEV lists.  They claim their model does a better job of predicting exploitation and while the purpose of this newsletter isn’t to dive into that claim, I am using their data to make a more general point:

We cannot possibly keep our systems fully patched.  There are too many disparate systems, some of which are End-Of-Life but we have to maintain them anyway because: Reasons.  We have all experienced those conversations and government agencies, in particular, have a greater likelihood of running older, vulnerable systems because of regulatory requirements to keep data, and resource pressure that often prevents our teams from completing projects and retiring older systems.  Emphasizing High and Critical rated vulnerabilities is a simple and great first step… but isn’t enough to prevent a breach.

The EPSS found that there were almost 238,000 CVE records in May of 2024.  Of those, 13,807 were observed with exploitation activity.  That translates to less than 6% used in attacks and a staggering 94% of our time used to patch systems that were never used in an exploit.  There are legitimate reasons for those numbers, including: patches that are easy to apply, but the vulnerability difficult to exploit.  Additionally, the 2025 Mass Internet Exploitation report from GreyNoise (Feb 2025) reported that 40% of exploited CVEs were at least 4 years old, with some dating back to the 90s.

This is a lot of information, so let’s all take a deep breath and focus on maximizing our security posture. My recommendation is to sit down and wrap your head around your organization. These are the 4 questions I ask myself when determining patch prioritization:

Where is my most important and sensitive data stored? Regulatory and legislative data is here (PHI, PCI, CJI, etc.)

  • What are my most critical systems?
  • If internet facing systems are compromised how easy is it to move to critical systems?
  • What tools do I have that can either prevent or catch an intruder?
  • If you received notifications that there were critical 0-day vulnerabilities for the OS, browser, firewall, ERP application, email server, and EDR, what would you prioritize first and why? There isn’t a right answer here, but the process of thinking it out can help shore up your security posture.

Other recommendations:

  • Prioritize systems that directly touch the internet.
  • Everyone has heard the adage that our users are our greatest risk, and it is true.  Therefore, make sure the software they use is as up to date as possible (OS, Browser and email client to name the most obvious).

Kevin Joyner, CISSP
Chief Information Security Officer
Brazos County IT

References:
ITSecurityGuru
EPSS Study
Mass Internet Exploitation Report

 

 

Back to TAGITM Monthly

Share on Facebook Share on Twitter Share on LinkedIn