Zero day risks are over-stated

Head of patch management firm pours scorn on zero day naysayers

Patrick Clawson, newly appointed chief executive at PatchLink, poured scorn on the panic associated with “zero day vulnerabilities” calling it “bullshit”.

“I’m calling bullshit on the whole zero day thing. These vulnerabilities are announced on that day, not released, it’s in the year running up to that date where they cause problems. By the time something like Slammer becomes well known, it is a nuisance, but [as an IT manager] what you have to worry about, is what you don’t know.”

Tackling these unknown risks is very challenging, said Clawson, who advised firms to train staff so that they do not fall victim to social engineering hacker attacks. “Social engineering is probably one of the most damaging elements in that one-year time frame,” said Clawson. He added that firms should lock down as many parts of the corporate network as possible: “You have to protect everything. Even your printers have enough memory to be used as a server for a porn site.”

Alan Bentley, managing director at Patchlink, added that when it came to patching “many organisations think that their best effort is enough. It is not. If there is a fix, you have to apply it.”