Recent studies show that a large portion of cybercrime could be prevented by more proactive patch management. While zero-day vulnerabilities are a frequent focus of cyber news and threat awareness, in reality it is the period between when a vulnerability is discovered and when the patch is released and widely deployed is when larger amounts of cybercrime attacks happen.1,2 The recent announcement of Microsoft’s Internet Explorer versions 6-11 vulnerability to remote code execution may trigger a larger number of attacks.3 While Microsoft works to develop a patch, the vulnerability is left wide open for any actors to try to compromise. Until the patch is deployed and installed by end users, this known unpatched vulnerability leaves little analysis work for cyber criminals. It is critical that industry and government decision makers approach this problem proactively to shorten the vulnerability window between patch issuance and deployment phases.
Working with our colleague, Fred Petit, Amanda Joyce and Nate Evans recently published a piece in George Mason University’s CIP Report on cyber dependencies within critical infrastructure. The paper presents an overview of elements characterizing cyber dependencies and how they have been included in an assessment tool developed by Argonne National Laboratory for the Department of Homeland Security (DHS) Office of Cybersecurity and Communications. You can read it at the CIP Report website.