Why Clients Shouldn’t Rely on Software Patching Alone

Back to Blog
Patch written with wooden cubes

Why Clients Shouldn’t Rely on Software Patching Alone

Software vulnerability exploitation ranked as 2020’s top attack method for cybercriminals, according to a report conducted by 2021 X-Force Threat Intelligence Index. Hackers love scanning networks, looking for software weaknesses that haven’t been patched. Once a vulnerability is found, it’s easy infiltration.

Software vulnerabilities are a prevalent threat, and their numbers proliferate with each passing year: 1998 ended with 319 reported vulnerabilities. They continued to rise with the turning of the calendar to 2020, which saw 18,362.

Many of those vulnerabilities are high-risk. Edgescan’s 2020 Vulnerability Statistics Report found that more than 25 percent of external-facing web application and at least 40 percent of internal application vulnerabilities are deemed high-risk. CVE Details reported that more than 13 percent of vulnerabilities bear a critical score.

Staying current on vulnerability patches is critical to an organization’s cybersecurity. But MSPs should encourage their clients to not rely solely on patching. Patching is never perfect.

With such high occurrence numbers, there is no guarantee that every vulnerability is–or can be–detected. Some are bound to slip through. For patching to work, the threat must first be detected. In 2019, a 20-year-old vulnerability that affected Simple Network Management Protocol version 2 (SNMPv2) was discovered. The bug allowed unauthorized SNMP through a guessed community string.

Twenty years is an extreme case, of course, but according to Check Point Cyber Cyber Attack Trends: 2020 Mid-Year Report, 80 percent of attacks in the first half of 2020 were at least two years old.

And then there’s a chance that a patch won’t fix all the weaknesses or will fix them on some platforms, but not others. For example, a nasty code packet, christened ‘Slammer,’ infected millions of systems at lightning speed – six months after Microsoft had developed a vulnerability patch to prevent such an attack.

With so many vulnerabilities prevailing that warrant so many combinations of patches, software vendor simply cannot keep up. MSPs should educate their clients on patching’s fallibility and encourage them to supplement regular patching updates with internal vulnerability scanning (IVS).

Frequent scanning also speeds up remediation. Scanning at just one to 12 times a day garnered about 217 for remediation, but scanning at least 260 times per day reduced 50 percent of vulnerabilities to less than 62 days.

A comprehensive cyber security program includes security automation with IVS. It can be one of their most powerful tools. This proactive approach detects risks before they become incidents. Not only will regular vulnerability scans generate recurring income, but the problems they uncover can expand your revenue and your worth to your client when you perform the fix.

To find more about how you can use IVS to secure your clients, visit us and request a demo.

[Citations:]

  1. Top 10 Cybersecurity Vulnerabilities of 2020, Security Intelligence, 2021
  2. 25+ Cybersecurity Vulnerability Statistics and Facts of 2021, 2021
  3. Why Software Patches Don’t Fix Everything, Forbes, 2019