Cybercrime as-a-service , Endpoint Security , Events

Why Attackers Keep Winning at 'Patch or Perish'

Fresh Flaws Exploited Faster Than They're Patched, Says Tenable's Gavin Millard
Gavin Millard, Technical Director, Tenable

One of the biggest information security challenges facing organizations is that they must try to identify and patch all new vulnerabilities that come to light in every piece of software and hardware that they use. Unfortunately, no matter how quickly patch managers move, on average, attackers move faster, developing exploits that target new flaws before they get fixed, says Gavin Millard, technical director for Europe, the Middle East and Africa at Tenable.

See Also: Enabling Government for Modernized IT

Tenable analyzed the the top 50 vulnerabilities of last year to study how quickly new flaws could be exploited by attackers before they were being patched by organizations. "The average time from a vulnerability being disclosed to an exploit being available - so basically, an attacker being able to leverage that exploit - is five days," Millard says. But 34 percent of the top 50 vulnerabilities involved a zero-day attack that exploited a flaw before it was publicly known. Meanwhile, organizations took on average 12.8 days to identify known flaws, often then taking weeks to remediate them.

In a video interview at the recent Infosecurity Europe conference in London, Millard discusses:

  • The ever-increasing quantity of vulnerabilities found in software;
  • The timeframe in which attackers exploit flaws, compared to when they get fixed;
  • The quest for better vulnerability management practices.

Millard serves as the technical director for EMEA at Tenable. An ethical hacker, Millard works with enterprises to address their cybersecurity challenges. He previously worked as the EMEA technical director for Tripwire. Millard regularly speaks on data integrity, hacking and other key security topics.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.