https://urgentcomm.com/wp-content/themes/ucm_child/assets/images/logo/footer-new-logo.png
  • Home
  • News
  • Multimedia
    • Back
    • Multimedia
    • Video
    • Podcasts
    • Galleries
    • IWCE’s Video Showcase
    • Product Guides
  • Commentary
    • Back
    • Commentary
    • Urgent Matters
    • View From The Top
    • All Things IWCE
    • Legal Matters
  • Resources
    • Back
    • Resources
    • Webinars
    • White Papers
    • Reprints & Reuse
  • IWCE
    • Back
    • IWCE
    • Conference
    • Special Events
    • Exhibitor Listings
    • Premier Partners
    • Floor Plan
    • Exhibiting Information
    • Register for IWCE
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Terms of Service
    • Privacy Statement
    • Cookie Policy
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • Mission Critical Technologies
    • TU-Auto
  • In the field
    • Back
    • In the field
    • Broadband Push-to-X
    • Internet of Things
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Call Center/Command
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Network Tech
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Operations
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Regulations
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • Organizations
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
Urgent Communications
  • NEWSLETTER
  • Home
  • News
  • Multimedia
    • Back
    • Video
    • Podcasts
    • Omdia Crit Comms Circle Podcast
    • Galleries
    • IWCE’s Video Showcase
    • Product Guides
  • Commentary
    • Back
    • All Things IWCE
    • Urgent Matters
    • View From The Top
    • Legal Matters
  • Resources
    • Back
    • Webinars
    • White Papers
    • Reprints & Reuse
    • UC eZines
    • Sponsored content
  • IWCE
    • Back
    • Conference
    • Why Attend
    • Exhibitor Listing
    • Floor Plan
    • Exhibiting Information
    • Join the Event Mailing List
  • About Us
    • Back
    • About Us
    • Contact Us
    • Advertise
    • Cookie Policy
    • Terms of Service
    • Privacy Statement
  • Related Sites
    • Back
    • American City & County
    • IWCE
    • Light Reading
    • IOT World Today
    • TU-Auto
  • newsletter
  • In the field
    • Back
    • Internet of Things
    • Broadband Push-to-X
    • Project 25
    • Public-Safety Broadband/FirstNet
    • Virtual/Augmented Reality
    • Land Mobile Radio
    • Long Term Evolution (LTE)
    • Applications
    • Drones/Robots
    • IoT/Smart X
    • Software
    • Subscriber Devices
    • Video
  • Call Center/Command
    • Back
    • Artificial Intelligence
    • NG911
    • Alerting Systems
    • Analytics
    • Dispatch/Call-taking
    • Incident Command/Situational Awareness
    • Tracking, Monitoring & Control
  • Network Tech
    • Back
    • Cybersecurity
    • Interoperability
    • LMR 100
    • LMR 200
    • Backhaul
    • Deployables
    • Power
    • Tower & Site
    • Wireless Networks
    • Coverage/Interference
    • Security
    • System Design
    • System Installation
    • System Operation
    • Test & Measurement
  • Operations
    • Back
    • Critical Infrastructure
    • Enterprise
    • Federal Government/Military
    • Public Safety
    • State & Local Government
    • Training
  • Regulations
    • Back
    • Narrowbanding
    • T-Band
    • Rebanding
    • TV White Spaces
    • None
    • Funding
    • Policy
    • Regional Coordination
    • Standards
  • Organizations
    • Back
    • AASHTO
    • APCO
    • DHS
    • DMR Association
    • ETA
    • EWA
    • FCC
    • IWCE
    • NASEMSO
    • NATE
    • NXDN Forum
    • NENA
    • NIST/PSCR
    • NPSTC
    • NTIA/FirstNet
    • P25 TIG
    • TETRA + CCA
    • UTC
acc.com

Cybersecurity


Partner content

Patch madness: Vendor bug advisories are broken, so broken

Patch madness: Vendor bug advisories are broken, so broken

  • Written by Tara Seals / Dark Reading
  • 14th August 2022

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”

The Trouble With CVSS Scores & Patching Priority

Most cybersecurity teams are understaffed and under pressure, and the mantra “always keep all software versions up-to-date” doesn’t always make sense for departments who simply don’t have the resources to cover the waterfront. That’s why prioritizing which patches to apply according to their severity rating in the Common Vulnerability Severity Scale (CVSS) has become a fallback for many admins.

Childs noted, however, that this approach is deeply flawed, and can lead to resources being spent on bugs that are unlikely to ever be exploited. That’s because there’s a host of critical information that the CVSS score doesn’t provide.

“All too often, enterprises look no further than the CVSS base core to determine patching priority,” he said. “But the CVSS doesn’t really look at exploitability, or whether a vulnerability is likely to be used in the wild. The CVSS doesn’t tell you if the if the bug exists in 15 systems or in 15 million systems. And it doesn’t say whether or not it’s in publicly accessible servers.”

He added, “And most importantly, it doesn’t say whether or not the bug is present in a system that’s critical to your specific enterprise.”

Thus, even though a bug might carry a critical rating of 10 out of 10 on the CVSS scale, it’s true impact may be much less concerning than that critical label would indicate.

To read the complete article, visit Dark Reading.

 

Tags: Applications Companies Critical Infrastructure Cybersecurity Enterprise Federal Government/Military Incident Command/Situational Awareness News Public Safety Security Software State & Local Government System Design System Installation System Operation Test & Measurement Tracking, Monitoring & Control Training Partner content

Most Recent


  • Public-safety coalition renews efforts to secure federal NG911 funding
    A coalition of public-safety associations today reiterated its support for federal legislation that would provide the funding needed to pay for 911 centers to migrate from legacy technologies to an IP-based next-generation 911 (NG911) platform that is designed to support multimedia communications, as well as traditional voice calls. Representatives of the Public Safety Next Generation […]
  • Patch madness: Vendor bug advisories are broken, so broken
    Newscan: Cyberattacks on DoE national labs draw lawmaker scrutiny
    Web Roundup Items from other news organizations Cyberattacks on DoE national labs draw lawmaker scrutiny Blinken postpones trip to Beijing after Chinese spy balloon spotted over U.S., officials say To protect satellites, secure your networks, chief of space ops says Ransomware offlines Arizona’s largest school district Mending the fabric: FCC says to file broadband-location challenges […]
  • The shine begins to wear off 5G private wireless
    Verizon had high hopes for private wireless networking. The company had predicted that by now it would be well on its way to making billions of dollars from the sale of custom 4G and 5G networks dedicated exclusively to its enterprise customers. Indeed, during 2021 Verizon execs pegged the total addressable market for private wireless at around […]
  • Phishers trick Microsoft into granting them 'verified' Cloud Partner status
    Late last year, a group of threat actors managed to obtain “verified publisher” status through the Microsoft Cloud Partner Program (MCPP). This allowed them to surpass levels of brand impersonation ordinarily seen in phishing campaigns, as they distributed malicious applications bolstered by a verified blue badge only ever given to trusted vendors and service providers in […]

Leave a comment Cancel reply

To leave a comment login with your Urgent Comms account:

Log in with your Urgent Comms account

Or alternatively provide your name, email address below:

Your email address will not be published. Required fields are marked *

Related Content

  • Black Hat 2022: Adapting to the growing cyberthreat landscape
  • Diffusing the connected car's ticking data-privacy timebomb
  • Cisco confirms data breach, hacked files leaked
  • Coalition expresses urgent need for NG911 funding, wants more than proposed $10 billion

Commentary


How 5G is making cities safer, smarter, and more efficient

26th January 2023

3GPP moves Release 18 freeze date to March 2024

18th January 2023

Do smart cities make safer cities?

  • 1
6th January 2023
view all

Events


UC Ezines


IWCE 2019 Wrap Up

13th May 2019
view all

Twitter


UrgentComm

Public-safety coalition renews efforts to secure federal NG911 funding dlvr.it/ShwGfn

4th February 2023
UrgentComm

Newscan: Cyberattacks on DoE national labs draw lawmaker scrutiny dlvr.it/Shvpw3

3rd February 2023
UrgentComm

The shine begins to wear off 5G private wireless dlvr.it/Shth0P

3rd February 2023
UrgentComm

Phishers trick Microsoft into granting them ‘verified’ Cloud Partner status dlvr.it/Shqngn

2nd February 2023
UrgentComm

Shapeshifting robot can morph from a liquid to a solid dlvr.it/Shqk9K

2nd February 2023
UrgentComm

Automakers against stampede to BEV dominance dlvr.it/ShpX08

2nd February 2023
UrgentComm

FCC nominee Gigi Sohn headed for third Senate hearing dlvr.it/ShpDcZ

1st February 2023
UrgentComm

Sign up to learn how to successfully manage your Motorola ASTRO® 25 System: spr.ly/60143j8fp https://t.co/XcxiUwzN27

1st February 2023

Newsletter

Sign up for UrgentComm’s newsletters to receive regular news and information updates about Communications and Technology.

Expert Commentary

Learn from experts about the latest technology in automation, machine-learning, big data and cybersecurity.

Business Media

Find the latest videos and media from the market leaders.

Media Kit and Advertising

Want to reach our digital and print audiences? Learn more here.

DISCOVER MORE FROM INFORMA TECH

  • American City & County
  • IWCE
  • Light Reading
  • IOT World Today
  • Mission Critical Technologies
  • TU-Auto

WORKING WITH US

  • About Us
  • Contact Us
  • Events
  • Careers

FOLLOW Urgent Comms ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.