Many organizations have security policies that have an associated time frame. For example a patch policy could be that a patch must be applied to a vulnerable server within a specific timeframe. It makes sense since timely patching is an important security control – but patching can have a business impact (the need to reboot a critical server, a patch that causes service or availability issues).
When patching, organizations need to make a tradeoff between the risk associated with patching versus the risk of not applying a patch. There are no good general information sources on the risk associated with applying a patch, but there is data that can be used to calculate the risk of delaying patch deployment.
Here are some of the relevant numbers:
- There are 11,079 (~26%) exploits that have mapped CVE numbers.
- 14% are zero-day (published before the vendors release the patch), 23% are published within a week after the patch release and 50% are published within a month after the patch release.
- On average, an exploit is published 37 days after the patch is released.
Roughly speaking there is about a 1 in 4 chance that vulnerability will have an exploit publicly available 37 days after a patch is release. That means that if you patch within 37 days after the patch is available then the risk of exploit is usually very low (though this is just an average number – as the MS-Exchange vulnerability taught us, it can be much sooner than that). If you wait longer than 37 days then the risk of exploitation of an unpatched server goes up dramatically.
This is a very simplistic risk analysis – it is possible to do much better based on specific information from your environment. But the bottom line is that if the longer you wait to patch – the more you are at risk.