How quickly do you patch severe security vulnerabilities, such as the most recent CVE-2019-0708?

How quickly do you patch severe security vulnerabilities, such as the most recent CVE-2019-0708?

Steve Comstock

Steve Comstock, CIO

Depends on the risk profile of the vulnerability and its exposure to be compromised but usually sooner than later

Steven SIM Kok Leong

Steven SIM Kok Leong, VP

Depends on exposure of attack surface, availability of exploit, compensating controls. And patching need not be the only answer to mitigate vulnerabilities eg it could be WAF, a configuration change, ACL tightening or as simple as disabling a module or service.

Clay Gravil

Clay Gravil, Director Of Information Technology - Network and Information Security

All depends on the exposure we have and the criticality of the system. 

Akshay Sharma

Akshay Sharma, Principal Analyst, neXt Curve

According to MSFT this is especially nefarious: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 as it can allow an attacker to then install programs; view, change, or delete data; or create new accounts with full user rights. I would not only install the correct patches immediately as it could lead to non-compliance to HIPAA, and GDPR, as well as California's CCPA rules regarding privacy of consumers, but if medical records are involved it's even more serious. I would additionally look to access control lists to the terminals as an extra precaution by installing solutions like the following: https://colortokens.com/wp-content/uploads/Healthcare-Industry-solution-brief.pdf

Michael Wahl

Michael Wahl, Senior Director of IT

Agree with others, the action::response to the event, action::remediation certainly depends several variables in addition to the exposure and overall  criticality of the system.

Christopher Thomas

Christopher Thomas, Executive Director

Depends on exposure and level of vulnerability. Still runs through same process either way. Time tables may vary.

Mike D. Kail

Mike D. Kail, CTO

First, patching any vulnerability is the tactical aspect that needs to be driven by an overall security strategy that continuously maps exposure and risk to known vulnerabilities. You need to have proper context in order to make the decision about when to tactically patch. Otherwise your team will *always* be in reactive mode and will rapidly burn out from "alert and vulnerability fatigue"

Clifton Persaud

Clifton Persaud, Assistant Director of IT Audits

Critical security patches should be applied to your most critical systems first (like immediately) and then rolled out to the least critical systems. Normally within 24 hours, usually that same night.  Of course you should have a change control process in place that are being followed. You don't want to apply patches that will break your system and stop production, so change control process is very important.

Yorick Phoenix

Yorick Phoenix, CTO

Depends on the patch. If it is critical and applies to us same day, if not then sometime in the future and when perform regular maintenance. Eg: the mentioned patch doesn't even apply to our environments so totally ignored, nothing to patch.

Pat Reynolds

Pat Reynolds, CIO/CTO

Depending on the severity but in most cases I would install the patch ASAP. 

Lee Vorthman

Lee Vorthman, Director of Information Security

Agree with others here. We set policies based on severity and CVSS score. Critical is immediate if it applies. Lower than critical severities are prioritized within 30 days or less depending on patch cycles.

Wael Ismail Elaish

Wael Ismail Elaish, Director of IT

I would say if you have a strong emergency change management process, I would say it should be applied immediately.