Every day of every year, new vulnerabilities in software and hardware systems are being published. These publications usually detail how to locate the vulnerability, how to exploit it, and the better publications detail how to the remedy or work around the issue. They are being published by security researchers. Though these publications are unvetted as per normal scientific research, they do tend to be the cutting edge regarding the cyber threat landscape. Unfortunately these publications are also read by the bad guys. So unless you are keeping yourself informed and making the necessary fixes, your exposed systems are going to be in the line of fire to some very novel attacks that you will probably have no defences for. This is not a comforting thought to most management responsible for security.
Some of these vulnerabilities have vendors and their informed customers scrabbling around testing and deploying hastily written patches. We often see a lack of fully patched systems that require testing. This always looks like a customer shoots themselves in the foot moment. Given that the customer knew the date of the pentest, (maybe because its an annual requirement or they asked for the test), there was no scheduled patching program occurring prior to the test. But at least there are ways to manage patching. For example: regular vulnerability scans (contact us if you wish to have details of our very cost effective continual regular scanning service), or, keeping a close eye on vendor updates/change logs for technologies used by the business.
Other published research is about vulnerabilities that are associated with flaws found in implementation or configuration settings. These settings may even have been hardened in line with industry good practice benchmarks from CIS, SANS, NCSC and NIST. However someone has worked out a way to compromise those self same implementations and configurations. And no amount of patching will dig you out of this hole. In these instances, unless you are aware of the research and did something to mitigate it, you are likely going to become the victim of an attack.
It definitely is worth following cybersecurity news items, be aware of cyber security talks given at the bigger conferences (DefCon, BlackHat, SteelCon, DerbyCon, Hack.lu etc), follow the blogs and tweets from influencers from the security industry. Yes this is a challenge especially when hard pressed to find free time. Consider following us, or use our services. Either way, we will keep you informed and it will be relevant since we will know your estate and your appetite for risk. Afterall you are engaging us to be your partner. Let us look after the cyber security whilst you do what you do best.