Organizations managing risk usually adopt some mix of mitigation and transfer, with transferal of risk typically involving insurance. The Conference’s second session, on March 17th, 2021, took up both.
The complicated relationship between patching and risk.
In the second session of the 7th Annual Virtual Cybersecurity Conference for Executives, hosted by Ankura and Johns Hopkins University Information Security Institute, Avi Rubin, Technical Director of the JHU Information Security Institute, discussed controls that can reduce an organization’s risk.
Rubin emphasized the importance of timely patching by reviewing the risk associated with a given vulnerability over time. The risk is very low before the vulnerability has been discovered by anyone,
Ironically, the risk associated with a vulnerability rises significantly after a patch has been released, since the patch allows attackers to hone in on the vulnerability and create an exploit.“There’s a race against time as to when the patch is distributed – if you don’t apply that patch, you’re much more vulnerable than before it was even patched in the first place,” Rubin said.
