Keeping Security Up-to-date

Purposeful View: Another reminder of the importance of keeping critical software up-to-date with security patches (by Walt Lapinsky, 3 January 2012)

Yesterday (this was written on 31 December 2011) I received a security alert email from Microsoft. As a long time lover (and hater) of Microsoft and its products, it is unusual to receive an out-of-band security bulletin.

This is not a complaint against Microsoft. I believe they acted responsibly to quickly get a fix out to a .NET Framework vulnerability that could allow the elevation of privilege to an unauthenticated attacker.

Each year the United States Secret Service and the Verizon RISK Team publish a Data Breach Report. The 2011 report stated that 17% of the successful data breaches involved some form of privilege misuse. Usually this is something as simple as failing to change the access rights of a person when they leave the company or are reassigned to a different role. These operational miscues are fissures for current and past employees to perform inside attacks. While the percentage of successful breaches by insiders has dropped from 2010, the number that are deliberate attacks has risen by 93%. If you mess up privilege, someone is waiting to take advantage of that and hurt your company. Microsoft cannot keep you from making those kinds of errors. But they and your other critical software vendors can significantly reduce the chance of a software vulnerability impacting your business.

That same Data Breach Report showed that 94% of data breaches could have been easily avoided if the company had followed some simple, low cost operational processes. The easiest thing to do is keep your operating system and other software up-to-date with security patches. The good news is that if you have automatic updating enabled, you will not need to take any action – your software will automatically download and install the update.

Big companies may have a large and talented enough IT staff to review each update from each software vendor for necessity and appropriateness. I have seen companies where that process took days or weeks. The time from when malware gets into your system or a vulnerability is discovered (and spread over the Internet) until you start losing data is usually measured in hours or days. I have never understood the value of waiting. Get that patch in and minimize your risk.

Most Cloud Service Providers that provide Platform as a Service or Infrastructure as a Service offerings are paranoid about security. They often have better software update processes and procedures than your own company can provide, and it is one less thing for you to worry about.

Our view: Make sure all of your servers and workstations have automatic update enabled for your critical software components. Periodically verify that this is the case. Specifically ask your Cloud Service Provider(s) what their policy is in this area, and get the answer in writing.