Page 1167 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1167
of patches so that they have adequate time to test and deploy them.
Many organizations that have support contracts with Microsoft
have advance notification of the patches prior to Patch Tuesday.
Some vulnerabilities are significant enough that Microsoft releases
them “out-of-band.” In other words, instead of waiting for the next
Patch Tuesday to release a patch, Microsoft releases some patches
earlier.
Attackers realize that many organizations do not patch their
systems right away. Some attackers have reverse-engineered
patches to identify the underlying vulnerability and then created
methods to exploit the vulnerability. These attacks often start
within a day after Patch Tuesday, giving rise to the term exploit
Wednesday.
However, many attacks occur on unpatched systems weeks,
months, and even years after vendors release the patches. In other
words, many systems remain unpatched and attackers exploit
them much later than a day after the vendor released the patch. As
an example, the WannaCry ransomware attack in May 2017
infected more than 230,000 systems within a day. The attack
exploited systems that didn’t have a Microsoft security update that
was released in March 2017, about two months earlier.
Vulnerability Management
Vulnerability management refers to regularly identifying
vulnerabilities, evaluating them, and taking steps to mitigate risks
associated with them. It isn’t possible to eliminate risks. Similarly, it
isn’t possible to eliminate all vulnerabilities. However, an effective
vulnerability management program helps an organization ensure that
they are regularly evaluating vulnerabilities and mitigating the
vulnerabilities that represent the greatest risks. Two common
elements of a vulnerability management program are routine
vulnerability scans and periodic vulnerability assessments.
One of the most common vulnerabilities within an
