Security News Most enterprise vulnerabilities remain unpatched a month after discovery

[Solarquest]

Content source

https://www.zdnet.com/article/the-majority-of-vulnerabilities-remain-unpatched-a-month-after-discovery/

More bugs are being squashed by the enterprise, but the time it takes to do so leaves organizations at risk.

The majority of vulnerabilities remain unpatched by the enterprise a month after discovery, researchers have found.
According to CA Veracode's latest State of Software Security (SOSS) report, up to 70 percent of bugs remain unpatched four weeks after disclosure, and close to 55 percent are not resolved three months after discovery.

Vulnerabilities impacting organization networks, apps, and infrastructure are not all equal, and part of responsible security practices require that IT staff triage issues to resolve and patch the bugs which are considered the most dangerous to that company.
However, according to the cybersecurity firm, 25 percent of vulnerabilities which are attributed high-severity ratings are not addressed within 290 days, and a quarter of disclosed bugs which may not be so critical remain unpatched well after a year. .
...

 

[show-Zi]

'We do not allow a suspicious person to enter a house at home, but workplaces where various people enter and leave are also open to suspicious individuals.'

 

[ForgottenSeer 58943]

Most people don't even believe how bad corporate/enterprise security is out there right now.

I've seen one of the top 10 largest law firms in the region using $19 Tenda routers. I've seen Dentist and Doctor offices with active malware, no AV protection, and using Yahoo Mail for patient records. I've seen a 52 million dollar rehab facility using Netgear routers in AP mode for their AP's, and AOL mail to sent Xrays. HIPPA is a joke. I've never actually seen an audit take place. People I know that claim they have, say they've never actually seen a fine levied. PCI compliance is a joke.. Fill out a form, lie, send it off. Nobody checks or enforces it.

Everything is compromised. Every company you do business with is probably compromised. Everything is going to collapse in a massive IT apocalypse that will unfold before our very eyes - and it will happen soonish.

IT is so pathetic right now I am basically getting out of IT and working on integrated systems where I can focus on securing one integrated component of a larger thing. That way I can help guarantee the compartmentalized, component I work on within an integrated environment won't collapse when the rest of the world collapses. At least I can say my stuff was secure.

I don't even want to go to a doctor or dentist anymore unless they are completely paper or I can look under the hood of their IT a bit. It's really not worth the risk. But as we know, if a doctor office isn't computerized they can lose their license to practice so we're all being played for fools.

 

[Deleted Member 3a5v73x]

Everything is going to collapse in a massive IT apocalypse that will unfold before our very eyes - and it will happen soonish.

Can't wait for that second coming. Is that the day Aliens will gives us that magnetic energy formula so I won't have to pay for my internet no moar?

Spoiler

 

[509322]

Most people don't even believe how bad corporate/enterprise security is out there right now.

I've seen one of the top 10 largest law firms in the region using $19 Tenda routers. I've seen Dentist and Doctor offices with active malware, no AV protection, and using Yahoo Mail for patient records. I've seen a 52 million dollar rehab facility using Netgear routers in AP mode for their AP's, and AOL mail to sent Xrays. HIPPA is a joke. I've never actually seen an audit take place. People I know that claim they have, say they've never actually seen a fine levied. PCI compliance is a joke.. Fill out a form, lie, send it off. Nobody checks or enforces it.

Everything is compromised. Every company you do business with is probably compromised. Everything is going to collapse in a massive IT apocalypse that will unfold before our very eyes - and it will happen soonish.

IT is so pathetic right now I am basically getting out of IT and working on integrated systems where I can focus on securing one integrated component of a larger thing. That way I can help guarantee the compartmentalized, component I work on within an integrated environment won't collapse when the rest of the world collapses. At least I can say my stuff was secure.

I don't even want to go to a doctor or dentist anymore unless they are completely paper or I can look under the hood of their IT a bit. It's really not worth the risk. But as we know, if a doctor office isn't computerized they can lose their license to practice so we're all being played for fools.

This, unfortunately, is an accurate description of the current state of affairs - which is pathetic.

You must operate defensively on the basis that you are already compromised. For consumers, there is little that they can do because it's all 3rd-parties, and the legal and other systems have given them few, if any, options.

It will take the first billion dollar whopper - and not only that - some powerful people will have to lose money. The type of people who just won't let it happen and are in a position of power to do something about it. Then, it will take some fundamental changes which will be quite painful. I doubt lawmakers will be willing to foist the pain onto their constituents. So nothing will really change except a bandaid or two.

 

[DeepWeb]

Most people don't even believe how bad corporate/enterprise security is out there right now.

I've seen one of the top 10 largest law firms in the region using $19 Tenda routers. I've seen Dentist and Doctor offices with active malware, no AV protection, and using Yahoo Mail for patient records. I've seen a 52 million dollar rehab facility using Netgear routers in AP mode for their AP's, and AOL mail to sent Xrays. HIPPA is a joke. I've never actually seen an audit take place. People I know that claim they have, say they've never actually seen a fine levied. PCI compliance is a joke.. Fill out a form, lie, send it off. Nobody checks or enforces it.

Everything is compromised. Every company you do business with is probably compromised. Everything is going to collapse in a massive IT apocalypse that will unfold before our very eyes - and it will happen soonish.

IT is so pathetic right now I am basically getting out of IT and working on integrated systems where I can focus on securing one integrated component of a larger thing. That way I can help guarantee the compartmentalized, component I work on within an integrated environment won't collapse when the rest of the world collapses. At least I can say my stuff was secure.

I don't even want to go to a doctor or dentist anymore unless they are completely paper or I can look under the hood of their IT a bit. It's really not worth the risk. But as we know, if a doctor office isn't computerized they can lose their license to practice so we're all being played for fools.

And probably running Windows Xp. I've seen it too looking over the shoulders of people at private practices and I'm genuinely scared. People having their passwords written down on notes attached to their displays. It's a miracle that our health information hasn't been breached yet thanks to herd immunity and miracles.

 

[Andy Ful]

It was always easy to compromise Enterprises, even before Digital Revolution. But, there are some problems after that:

1. How to hide the tracks?
2. What to do with the stolen data?
3. How to sell it safely?
4. How to escape the penalty?
5. etc.

The only thing I am truly afraid is the scale. Nowadays, one cyber-criminal (terrorist) group could in theory compromise many Enterprises and Institutions around the world, in a short time (WannaCry, NotPetya).:emoji_pray:

 

[509322]

When I ask admins why they do what they do, many of them reply "I don't want problems from Windows or Microsoft product updates".

 

[Andy Ful]

That is simple. When the systems hang after update, then everyone is going to blame the admin. If the Enterprise is compromised, then he can blame the security applied by the Enterprise.

 

[509322]

That is simple. When the systems hang after update, then everyone is going to blame the admin. If the Enterprise is compromised, then he can blame the security applied by the Enterprise.

Generally speaking, neither the Admin nor the Enterprise can be held liable as long as they used reasonable best-efforts. In the absence of utter negligence, they cannot be held liable.

Admin says "Windows suxx… because it does."

 

[Deleted Member 3a5v73x]

That is simple. When the systems will hang after update, then everyone is going to blame the admin. If the Enterprise is compromised, then he can blame the security applied by the Enterprise.

In our country employees in health care institutions which have to use Windows gets blamed for sudden system hanging or specified problems in programs, IT's get away by reporting that users tried to simultaneously surf in facebook and kept working programs open, those operations reached in total of available 4GB RAM limit and resulted in program and systems malfunctioning. Never IT fault.