Speaking at the (ISC)2 conference, Marcus Alldrick, CISO at Lloyd's of London, claimed that the basic principle is that if someone has a view of your vulnerabilities they will make the most of it and take advantage.
An IBM ISS X-Force threat report, identified in the earlier keynote speech by technical manager James Rendell, claimed that 53 per cent of vulnerabilities in 2008 had no vendor-supplied patches. Alldrick claimed that with this figure in mind security managers need 'to be more proactive to patch vulnerabilities so a return on an attack diminishes'.
He said that with more sophistication being seen in attacks and a move being made into attacking mobile devices, the problem is trying to get the message through about patching and getting the message across that companies need to patch more efficiently.
Alldrick said: “Why isn't patch management being done? There are too many reasons including that some are evil that are patches within patches, some you have to test, you need to update laptops to examine usage. We now have pooled laptops but the number who don't connect to patch is amazing, there is a communication and awareness issue here, the time needed to take application systems down, trying to find windows to apply or you can't apply it because you need a service pack but then that is not compatible.
“Also do you actually know where your software is? Also scheduling downtime to do the application, we do it Sunday mornings but some departments work on Sundays so the inconvenience is not great, with Conficker it was rolled out over a number of nights.”
Alldrick also claimed that some companies are patching on the service side but not on the client side, and they needed to address that now.
“The key thing is to make sure you have resource at the coal face. We're seeing patch management as a business issue, it will result in money off bottom line, it should be proactive and seen as a preventative tool and not as a corrective tool. Try and understand what you are protecting and what is under attack, do you really want your machines to become botnets?” said Alldrick.
“Support by a defence-in-depth strategy, if you are not up on this you need a strategy in place, if you are doing it manually you need to automate, you need to be more informed of your vulnerabilities and what they are, you are going to see a trend towards mobile devices so you need to look at your connectivity particularly with USB ports.”