¶ … Dynamic and Fixed Patch Compliance Level The goal to achieve competitive market advantages in a business environment has made increased number of business organizations to indulge in online businesses to enhance time-to-market, increase profitability and deliver innovative products. To achieve these objectives, organizations are increasingly investing in the IT (information technology) to enhance effective communication, and transfer data across businesses through LAN (Local Area Network) and WAN (Wide Area Network). Moreover, large number of businesses are switching from wired to wireless network systems to reduce operational costs, capital costs and management costs. (Nicastro, 2005). Despite the benefits that businesses enjoy from IT investments, nevertheless, organizations face inherent risks of IT vulnerabilities, and vulnerabilities can originate from network access points, poorly configured firewalls, wireless access points, and unsecured SQL databases. Vulnerabilities can also arise from weaknesses in the configuration, technology, or security policy. (Nicastro, 2005).

Objective of this paper is to investigate the important security issues facing the IT managers in the contemporary business environment. Moreover, the paper discusses various vulnerabilities and attacks that business organizations face in the contemporary business environments. The paper also discusses how patching can be employed in addressing vulnerabilities that IT managers are currently facing in the IT environments. Moreover, the study discusses the patch compliance. The paper also discusses the benefits and shortcomings of the fixed and dynamic patch compliance levels.

Overview of Vulnerabilities

The vulnerabilities refer to a weakness in the organizational IT systems, which can be exploited and consequently compromise the organizational security systems. Moreover, vulnerabilities refer to a hardware or software bug or misconfiguration that malicious individuals can exploit.

In other words, "vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system. Vulnerabilities can be exploited by a malicious entity to violate policies -- for example, to gain greater access or permission than is authorized on a computer." (Mell, Bergeron, & Henning, 2005 p 7).

Typically, vulnerabilities can arise when there is a misconfiguration of software and hardware and poor network design that can disrupt organizational business operations. Businesses can lose enormous revenue if an attacker exploits the security loopholes because of the vulnerabilities in the network systems. The paper discusses different vulnerabilities that consist of challenges that managers face in the IT environments.

Bug Vulnerabilities

Bug vulnerabilities are the malicious program that can corrupt the information systems, which can make memory address to terminate abnormally, and an abnormally termination can lead to a failure of the operating systems. (Brumley, Newsome, Song, et al. 2006).

Technological Vulnerabilities

The network and computer technologies can develop intrinsic security weakness that can lead to the technological vulnerabilities. Typically, the vulnerabilities can arise from operating system weaknesses, protocol weaknesses, and network equipment weaknesses. For example, the ICMP, FTP, and HTTP are inherently insecure and can lead to TCP and IP protocol weaknesses. Moreover, vulnerabilities can arise from network equipment weaknesses, and network equipment such as firewalls, routers and switches can develop security weakness, which include lack of authentication and firewall holes.

In the business world, a successful hacking carried out because of these vulnerabilities can damage a company business reputation. Telang, & Wattal,(2010) argue that vulnerabilities have a great impact in business world and can cause billion dollars loss in downtime and disruption. The NIST estimates that a faulty software can cause an attack, which leads to approximately $60 Billion a year. Moreover, the Gartner Group estimated a system downtime that was caused by security vulnerabilities increased from 5% in 2004 to 15% by 2008.

Cavusoglu, Mishra, and Raghunathan (2004) contribute to the argument by pointing out that high profile vulnerabilities can cause security breaches in companies such as eBay, Yahoo and Amazon. For example, a company can lose 2.1% of their market value and market capitalization within two days of announcing the lost. Typically, the average lost of $1.65 billion worth capitalization has been recorded. A security survey carried by the Federal Bureau of Investigation in 2002 reveals that vulnerabilities account to 80% of financial loss, and the estimated average loss was between $2 million and $4 million of average lost. Moreover, the average lost of market value security breach result to a loss of $1.65 billion loss of market capitalization.

The cloud vulnerabilities between 2008 and 2011 have led to enormous data loss and leakages, and the vulnerabilities can come from known and unknown causes. The Appendix 1, 2, 3 and reveal the breakdown of the unknown cloud vulnerabilities. (Cloud Security Alliance, 2013). Major challenges that business...

Based on the financial loss that businesses sustain from vulnerabilities, the paper develops the strategies that can be employed in managing the vulnerabilities within the IT environment.(Cavusoglu, Mishra, and Raghunathan, 2004)
Patch and Vulnerabilities Management

A patch is one of the security strategies that IT security managers can employ to manage vulnerabilities. Patch refers to piece of codes to address the vulnerable problems or fix the bugs, and patches address security flaws in a program. Patching is a security-related system that assists both system and network administrators to keep their systems up-to-date and safe from vulnerabilities and hacker attacks. While the deployment of patches should be planned and deployed carefully, it is very important to apply them to enhance effective security system.

In other words, patching is a security related program used to assist both network and system administrators to fix vulnerabilities and keep the system up-to-date. However, patching should be implemented properly in order not to leave the IT and business environments vulnerable to attacks. Mell, Bergeron, & Henning (2005) identify patching as a vulnerability management and security practice to prevent the exploitation of information systems and system vulnerabilities that occur within an organization. The expected results are to reduce the money and time spent in dealing with the exploitation of vulnerabilities. Timely patching is very critical in maintaining operational confidentiality, availability, and integrity of the information systems.

Patch management is very vital for organizational IT system, and thousands of commonly security breaches are associated to missing network patches. A patch is defined as a piece of software used to update the computer program in order to remove the security vulnerabilities in the organizational information systems. Typically, patch is very critical to fix bugs and improve the usability and performances of the information systems. Patch management refers to the process of determining and plan the appropriate patches to be applied at a specified time. On the other hand, vulnerability management is an integral part of patch management that involves identifying, remediating, classifying and mitigating the vulnerabilities from the information systems. The vulnerability management is also an integral part of the network security, and computer security, and vulnerability scanners are the effective tools to detect host and network vulnerabilities and reduce the time taking to patch the information systems. The benefit of vulnerability scanner is to analyze the information systems to identify the vulnerabilities.

Mell, Bergeron, & Henning (2005) discusses various steps in to carry out a patch operation. First, the organization needs to carry out the vulnerability scanning using the automated vulnerability scanners. The vulnerability scanners are the automated scanning program to identify the vulnerabilities in the networks and hosts. Typically, the vulnerabilities scanners have the ability to identify the open ports and the hosts associated to vulnerabilities.

Network scanners and host scanners are two types of scanners that can be used to identify vulnerabilities. The network scanners are the effective tool to map a network system of an organization in order to identify the open ports, and misconfigured services. The scanners also are very effective to locate numerous hosts. Despite the benefits that can be derived from using the network scanners, however, network scanners are ineffective to collect accurate information about the firewall.

On the other hand, the host scanners are effective tool in identifying host operating system, vulnerabilities and application misconfigurations. Typically, host scanners can detect granularity and capable of repairing misconfigurations. A report carried out by the HKSAR (2008) reveals that business organizations report thousands software vulnerabilities yearly that make responsive and flexible security patch management to become very critical for security of the information systems. Mell, Bergeron, & Henning (2005) argue that deploying the vulnerability meditation is the first step in a patching system. The vulnerability remediation involves three steps:

The installation of security patch is the first step that involves applying the security patch to repair the vulnerabilities. Typically, the patch consists of codes that modifies the software application in order to address the problem and free the organizational information systems from malicious code. The second step is to carry out the configuration adjustment to configure the security control in order to block the vectors. Common configuration includes modifying the access controls and change the firewall rules. A software removal is the next step that involves uninstalling and removing the affected software from the information systems to eliminate the associated threats. Despite the security benefits to be derived from patching management, however, implementing multiple patches may be a daunting task for an organization especially when applying…