Well, I think we all knew it was coming. More and more vendors are moving to the scheduled patch cycle instead of releasing as-needed patches. This both a boon and a disaster, depending on your point of view/level of risk tolerance.
In this article, Cisco announces that they will now release their patches every 6 months. I suppose they consider twice a year patching to be enough for the critical components of the network such as routers, switches and other devices. Heck, they are even going to move Linksys patching to every 6 months, so the home users of the product line can ignore them 2 times per year, on schedule, instead of ignoring the patch releases all “willy-nilly” like they presently do.
Why do all the vendors think scheduled patching is such a good idea? I suppose the only answer is that it helps them better schedule their own resources and such, since it CERTAINLY CAN’T BE ABOUT MINIMIZING THE RISK WINDOW BETWEEN VULNERABILITY DISCOVERY AND MITIGATION. Resource scheduling is also the most common cause I hear from IT folks who support this process of patch releases. I just hope that we can convince attackers to manage their resources a little better too, since it would be very nice if their vulnerability research, exploit development and wide-scale attacks could magically coincide with the appropriate patching processes. Then everything would be better for everyone and the world would be a very nice place indeed…
The problem is, the real world just doesn’t work like that. Exploits and vulnerabilities will continue to be discovered in real time, just as before, except now attackers will know the timeline for the value of their new attacks. In many ways, this serves to bolster the underground economy of attack development since you don’t need 0-day for Cisco products, 179-day exploits will do just fine!
I get the desire of IT and vendors to stabilize their work forces and to better schedule and manage their resources. I really do. Police would like to be able to schedule crime as well, so that they could have weekends and nights off to spend with their families. But, being a law enforcement officer comes with some requirements and schedule flexibility is one of them. The same goes for IT folks. In my opinion, scheduled patching, especially patching every 6 months, is simply a reinforcement of traditional IT thought processes. If my readers know one thing about the MSI vision, it is that thinking differently is the key to information security, since what we are doing to date does not seem to be working so well.
Cisco is a huge company. I know many consider them to be unresponsive to customer concerns, but I truly hope that IT professionals reach out to them on this and that they listen. Cisco devices truly do form the core of many, many, many networks. Their products literally power much of the Internet as we know it today. That gives them immense power, but also makes them a HUGE target. Given their critical role, six month patching just does not seem to be a reasonable solution to me. If you feel the same way, let them know!