Blog / To Update or Not to Update: There is No Question!
It’s a new year. So, what does that mean advice-wise coming from me?
“Update your equipment!”
But haven’t I said this often times before? (Hint: Yes I have!) This is the mantra that all Security Specialists sing (and many IT people too.)
Does that mean that updates should be applied as soon as they become available? What if you’re in the middle of making a presentation, working on an important document or trying to correct a critical infrastructure issue? What if the update requires an immediate reboot? What if the answer is Yes to all of these, at once?
If you were running Windows 10, Microsoft would say the answer to that question is: “Yes. It’s happening right now. You have no choice.”
To be fair, there’s good logic behind that stance. Take the EQUIFAX Breach, for example. If they had simply patched that server, it never would have happened (the patch had been available for several months prior to the breach.) Companies get compromised because some patch that has been accessible for a long time (even years sometimes!) wasn’t applied. What do they do? Point fingers at the software manufacturer. I’ve seen news articles with this exact scenario happen again and again over the years.
As part of doing a Security Audit, one thing I examine is the software, and I don’t stop at the operating system. I also look at everything that’s installed on all computers. It doesn’t matter if it’s used or not. Having unpatched software can be a major Security Risk (think EQUIFAX.) Such is an area where I can state, with a high degree of confidence, that most organizations are getting it wrong.
This is because in order to do this “right“, you need to have a plan. In the Security Audits I have done, not a single organization has ever had an official Policy or Procedure, when it comes to patches and staying up-to-date. Many of them have had unofficial rules in place, which is better than nothing; though not a lot.
So how does an organization go about making an official Policy regarding firmware and software updates? I thought about this and broke the problem down into several steps:
Step 1: Nobody has Admin privileges on day-to-day accounts… EVER.
Yes; this even applies to IT staff. Admin level accounts should only be used to perform activities that require their use like adding or removing software and some maintenance tasks. Only individuals whose job it is to perform those sorts of activities, should even have access to their own Admin accounts. This will help prevent unauthorized software from showing up unexpectedly.
Some software does not require admin privileges to install, so it’s not a complete fix, but it helps a lot. This is where you need to start. Overlooking it will simply increase the workload later.
Step 2: Actively monitor your software.
You can’t keep track of software without actively looking at your computers (an Excel spreadsheet with a list of purchases isn’t good enough.) This means you need to be actively monitoring the software you’ve installed and the vendors you’ve purchase it from, to see if updates are available and if they’ve been added. This may sound like a labour-intensive activity (going from machine to machine), but the fact is that this can be handled automatically, by using software.
You can monitor what’s installed on a computer automatically, using software. It can detect when something new is introduced, as well as updated, sending an alert to your IT staff about the situation. Any warning should obviously happen as a result of IT installing something. Anything else should be quickly investigated.
Step 3: Evaluate the risk for each patch.
This means two things:
First, when a patch becomes available, you DO NOT install it immediately… EVER!!
Second, your IT needs to learn what the patch REALLY does.
When a patch comes out, your IT team needs to analyze the release/patch notes and ask questions like:
Does this patch add a new feature?
If so, would this feature benefit the organization?
Could the patch fix a Security flaw?
If so, what is the nature of the flaw and how could it impact the outfit?
Would installing this patch pose a risk to an organization’s data or workflow?
Would it require a reboot?
Is the patch for a device that is directly accessible from the Internet?
… and so on…
Essentially, they need to understand what the patch does and how it’s going to impact the organization, so that they can properly prioritize its installation (Critical, High, Low.)
Step 4: Create a Schedule for Patch Installation.
Now that the patches are being prevented and monitored, you need to have a schedule you can follow for installing updates.
An example of an official schedule would be something like:
- High: Once a week (at a given time and day.)
- Low: Once a month for low priority patches.
- Critical: ASAP (Can’t wait for weekly update.)
You may also want to have additional patch levels and such for separating out ones that require a reboot. This is just an example; a sample plan. Each step along the way requires its own Policies, Procedures and Tools to accomplish.
For example, lets take a brief look at Step 1:
In order to make sure that nobody is using Admin level accounts, you first need to do an audit of all your user accounts and check the permissions they have. After that, you need to monitor your user account logins, or at least your Admin user logins.
If you aren’t doing both, then you are going to see strange software popping up in your computers, sooner or later. That software may or may not have gone through any sort of vetting process to make sure it’s compatible with your organization’s equipment or other software. This means it may or may not be quality software, which makes it a liability. So, someone needs to make a case for why the software should stay, or it gets removed.
You can break down each step into similar fashion. Each phase will have its own little group of Policies, Procedures and Tools that will need to be put in place, to accomplish it within your outfit. The immediate payoff is an increase in the stability of your computers (which has an impact on your workflow and employee stress levels, etc., etc.)
If you have any questions about Update Strategies, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.