Is patching the answer to security?

Back in the 90's, before the Internet was for everyone, we used to connect to weird foreign language Bulleting Board Systems in Asia to download new drivers. No one really patched operating systems or applications at that time.

Then the first trojans started to hit us around the millenia, and patching became best practice.
However, still 15 years later it´s still very difficult to manage in a real world situation.

Enterprises need to verify that patches are not causing incompatibility and downtime, and how do you do that with thousands of internal applicatons? Sure, you can look at various soft patching techniques but ultimately you need to patch.

Various news sites are now reporting that a new Drupal security vulnerability is out. We should apparently assume that you have been hacked unless you patched within 7 hours. How is that working out for everyone?

Patching also assumes you are aware there is a vulnerability in the first place, but zero day attacks are quite common nowadays.

I think we need to start realizing that we will not be able to patch, even if we do our very best.

We should obviously continue to patch, but do it more cleverely. That requires security intelligence and good configuration management so we can quickly see which systems are affected and what the risk is.

However, the real game changer is that we need to shift our budgets from protection to detection and response.

You can't hope to stop everything (especially not in 7 hours like in the Drupal example), but there is a good chance you can detect it, or at least deal with it.

Are apple products more secure?

Several of my acquaintances are under the belief that Apple products are inherently more secure. While that is probably a matter of debate, it´s probably fair to say that there is no such thing as a secure computing platform.

Why? There is really no such thing as bullet proof software, and new creative technology concepts are based on vision with security bolted on as an afterthought.

I have done work for a lot of banks, and it´s very clear that attackers go for 1) a large user populations and 2) low hanging fruit.

Apple users have always been a minority, and the tightly controlled eco-system has made it more difficult to exploit.

Well, things are about to change anyway. There are now plenty of Apple related vulnerabilities published and Apple had had its fair share of problems this year with everything from iCloud hacks to WireLurker that was just announced.