Survey: Patch Management Still Big Stumbling Block in Risk Management
McAfee report shows how companies spend to meet compliance rules
Today, patch management must be a top priority to mitigate the continuous threat of malicious code and compliance failureMcAfee report
McAfee asks those questions in its "Risk and Compliance Outlook - 2012" survey of 438 IT professionals in the U.S. as well as Europe and Brazil, Australia and Singapore, finding the main challenge is getting visibility into IT operations. Four out of 5 of those surveyed believe "visibility into the risk posture of their IT environment" is important, and one-quarter estimated they shaved off six to 10 hours per week in IT staff time with good visibility.
But the patching of software remains a chief stumbling block to good risk management, according to the findings.
"Before the advent of numerous regulations and the rise of malicious code targeting known vulnerabilities, patch management was not a top issue for many organizations," states the McAfee report. "Today, patch management must be a top priority to mitigate the continuous threat of malicious code and compliance failure. These concerns have pushed organizations to gain better control and oversight of their information assets. This is seen with nearly half of the surveyed organizations applying patches monthly and near one-third doing so on a weekly basis."
But as they patch away, there's the sense this is a time-intensive process that's costly. The IT professionals surveyed indicated they are tempted to do routine vulnerability patching less in order to save money.
About half of the companies say they are able to pinpoint risks associated with vulnerabilities and threats well, "and 43% indicate they over-protect and patch everything they can." This might be substantial indeed, given that the National Vulnerabilities Database reported 3,532 vulnerabilities last year.
But the most disruptive aspect of patching is said to be "out-of-cycle patches" that defy the monotonous, scheduled "Patch Tuesday" of every month led by Microsoft, with other vendors also now releasing patch announcements on that second Tuesday of every month.
About 27% of IT security budgets are driven by compliance, the McAfee report states, noting this is similar to findings of a 2011 survey
Out-of-cycle patches can have critical security importance, and 70% of the survey respondents said these events do have an impact, But only 13% described this as a "major impact."
The most important regulations that companies have to comply with are the Payment Card Industry Data Security Standards (PCI-DSS), Sarbanes-Oxley, the HIPAA regulations for healthcare, and others, such as the Basel Accords rules for financial. The most popular compliance frameworks are said to be ISO, ITIL and COBIT.
The survey respondents indicated the "most challenging" regulatory mandates revolved around database security, with a focus on access control for the privileged insider, and trying to monitor based on "normal" usage. Other needed controls are encryption of data at rest and establishing separation of duties.
Roughly three-quarters of the companies surveyed said they use database monitoring tools, with 18% saying they plan to start using them this year. Some 60% use tools to monitor for configuration changes, and 23% plan to start doing so this year. In addition, auditing, change-management, configuration assessment, file-integrity monitoring and similar tools are already used by slightly more than 60% of the respondents, and an additional quarter of those answering the survey said they plan to implement them later this year.
About 27% of IT security budgets are driven by compliance, the McAfee report states, noting this is similar to findings of a 2011 survey. Last year, 85% of the organizations went through 10 or fewer compliance audits, but 1% endured between 41 to 60 audits, the report says.
The survey says 45% of respondents indicated at some time they failed at least one compliance audit, though 37% passed the follow-up, and 8% ended up paying a fine because they did not meet a government or industry regulation.
The report says audits are expensive, on average costing $100,000 in 2011 for external audit fees, though 39% managed to keep costs between $10,000 to $50,000, while 10% actually spent more than $250,000. The good news is organizations seem to have spent less on average last year than they did in 2010, when the average annual costs were $160,000.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Since Monday, close to 1,000 workers at an IBM factory in China have been protesting the proposed acquisition, fearing they may lose their jobs if the deal goes through.
Incident responders have no good way of distinguishing inconsequential malware from highly damaging malware. They spend way too much time and resources chasing red herrings while truly malicious activity slips past.
According to AppRiver's unscientific survey of IT security professionals, the ethics and legality of NSA activities is simply not part of the day-to-day concern when it comes to defending against malware and cyber attacks.
Having lots of Wi-Fi networks packed into a condominium or apartment building can hurt everyone's wireless performance, but Stanford University researchers say they've found a way to turn crowding into an advantage.