The Tripwire survey was completed on 480 IT security experts and asked questions about enterprise patch management policies at their groups.
The results indicate that IT staff are struggling to ensure that all systems are kept in a fully patched state. 67% of respondents said that at least a portion of the time, they are not certain about which patches need to be applied to certain systems.
The complexity of enterprise patch management is an issue For instance, a patch may be released to address Adobe Flash vulnerabilities, but it comes packaged with Google Chrome updates. It addresses Flash weaknesses in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash weaknesses in other browsers. 86% of respondents said that issues such as this mean they find it difficult to comprehend the impact of a patch. It is all too simple for security flaws to remain after a patch has been applied.
Patches are made available that address a range of security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability completely. According to Tripwire, “The relationship between patches and vulnerabilities is far more complex than most people think.”
There is also serious confusion between patches and software upgrades. When it comes to tackling security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap between the two. Because of this, organizations have difficulty seeing to it that all software is properly patched and fully up to date.
The survey showed that 50% of enterprises do not realize the difference between applying patches and remediating security flaws. 7% of respondents didn’t realize there was a difference between applying a patch and addressing a security vulnerability, while 43% said their staff had trouble getting to grips with the difference.
Patches are now being released regularly and many enterprises find it difficult to tackle the sheer number of patches being released. Before the survey was completed, Tripwire expected only a small number of organizations to be experiencing “patch fatigue.” However, it is clear from the results of the survey that this is a widespread issue. 50% of respondents said that patches are now being made available at an unmanageable rate.
Enterprise patch management may be one of the most fundamental security measures, but effective patch management is anything but easy.