PCI DSS Position on Patching May Be Unjustified

Verizon Business recently posted an excellent article on their blog about security patching. As someone who just read The New School of Information Security (an important book that all information security professionals should read), I thought it was refreshing to see someone take an evidence-based approach to information security controls. Verizon begins by asking the following two questions:

How much better is it to have a world-class patching process compared to an average one? Could it ever be detrimental to patch too fast?

The idea that “patching too fast” could be “detrimental” is clearly related to this column’s focus on the concept of “agile security,” so this immediately caught my attention. Verizon sums up the answers to their own questions nicely:

The recently published “Verizon Business 2008 Data Breach Investigations Report” describes characteristics of more than 500 computer crime investigations performed over the past four years. Our data shows that in only 18% of cases in the hacking category (see Figure 11) did the attack have anything to do with a “patchable” vulnerability. Further analysis in the study (Figure 12) showed that 90% of those attacks would have been prevented had patches been applied that were six months in age or older! Significantly, patching more frequently than monthly would have mitigated no additional cases.

Patching more frequently than monthly was not only unnecessary to prevent the vast majority of compromises included in their research, but there is evidence that in at least some cases the focus on frequent patching caused more harm than good.

In summary, the Sasser worm study analysis found that companies who had succeeded at “patching fast” were significantly worse off than “average” companies in the same study. This seemed to be because, as a group, these companies tended toward less use of broad, generic countermeasures. They also thought they had patched everyone, when in reality they hadn’t. You might say they spent more of their energy and money on patching and less on routing, ACLs, standard configurations, user response training, and similar “broad and fundamental” controls.

And the above quotation only considers the impact of “patching fast” from a security effectiveness perspective. It says nothing about the potential for other negative impacts of “patching fast” on an organization’s agility.

Compare the results of Verizon’s research with an industry benchmark, the very well-intentioned Payment


  1. Jens Laundrup Jun 30, 2008 at 10:32 am | Permalink

    Well said Jeff.
    I would be willing to bet that they (The Payment Card Industry) do not follow their own patching mandate. It reflects the overall problem with PCI DSS, that it is too prescriptive but fails to meet the intended objective. We can draw a similar parallel to the Department of Defense where they often have a checklist that they have to go through to show compliance with a security directive. The problem with them is you can show compliance with the checklist or with PCI and be inadequately secured, thus meeting the letter of law but failing at the intent. It is time for the PCI to start thinking about adopting a different tactic.
    In my opinion, certification to ISO/IEC 27001 would do much more to meet the intent of PCI DSS than PCI DSS does today.

  2. Adam Shostack Jun 30, 2008 at 10:33 am | Permalink

    Thanks for the mention, Jeff! I’m glad we inspired you to do this, and I’ve posted some thoughts in response at http://www.emergentchaos.com/archives/2008/06/in_the_land_of_the_blind.html

Post a Comment

Your email is never published nor shared. Required fields are marked *