Change/Patch Management??

In most companies, terms such as Patch Management and Change Management are foreign to the security staff. Sure they read of it in certification books but, the reality of it is that most companies still don't have formal change and patch management policies that are being enforced from the top. With the lack of governance in these areas, companies are much more vulnerable to any threats that are written to target the vulnerabilities that current or even older patches address. Albeit, Yahoo is a tech company (see link for reference), goes to show that even giants lack in these areas where IS/IT Governance may be decentralized.?

The risk is, as an overall statement, the loss of brand equity and financial loss. An patch can indeed address any type of vulnerability, depending on whether it is a O/S level patch or a software level patch. So the best way to describe the risk outside of business speak is as follows:

Lack of Change Management?- The risk of not exercising a formal change management process can lead to disruption in operations or loss of availability (CIA). Ensuring that a formal Change Review Board, with stakeholders present, review the change request, test the change in a test/sandbox environment, and communicate a change window, will guarantee for a successful change.?

Lack of Patch Management?- The risk of not exercising a formal patch management process can lead to the unauthorized disclosure (CIA) or modification (CIA) of company data and can also lead to disruption of operations (CIA). Ensuring that your asset inventory is up-to-date and your organization is utilizing a patch management solution to keep the assets along with the Change Management policy can avert such disasters.?

Thought Provoking Link:

https://www.businessinsider.com/romanian-hackers-allegedly-used-the-shellshock-bug-to-hack-yahoos-servers-2014-10?(Links to an external site.)