\u201cAs a security professional, what keeps you up at night?<\/p>\n
I get this question all the time when speaking at various security events. There are a myriad of security-related problems that keep me up at night, but the one that weighs on my mind most is the sheer number of old vulnerabilities \u2014 we\u2019re talking vulnerabilities at least a year old or more \u2014 that are still being successfully exploited.<\/p>\n
According to Secunia<\/a>, more than 15,000 vulnerabilities were discovered across nearly 4,000 products in 2014 alone.<\/p>\n So, why does this bother me so much? Because exposing yourself to risk through old vulnerabilities is unnecessary.<\/p>\n Vendors typically release patches for the most severe CVEs very quickly after they\u2019re discovered, with 83 percent<\/a> releasing them on the same day as disclosure. I\u2019d like to say that, in light of this information, there\u2019s no reason for organizations to be susceptible to old vulnerabilities, but that\u2019s not entirely true.<\/p>\n Problems arise when there are so many patches per month or year that IT simply cannot keep up, as well as when vulnerable software runs on systems so critical that any downtime would endanger employee safety or cost the company millions of dollars in lost productivity. The vulnerability problem becomes an insurmountable obstacle that gets perpetually more difficult to tackle with each passing day. However, there are processes and technologies available to help solve these problems.<\/p>\n