Software updates are for life, not just for Microsoft...
Stewart Twynham of Bawden Quinn discuss some of the essential points of software updates, and how to go about them.
Every year, thousands of security holes are discovered in software applications, operating systems, and devices. In fact, patch management is one of the single largest concerns of IT managers and system maintainers today. While most small businesses begrudgingly accept the need to update their desktop PCs from time to time, systems audits suggest businesses fail to look beyond Microsoft’s desktop products, leaving their systems hopelessly exposed.
The Microsoft Effect
Microsoft has come under a great deal of fire recently. This October was particularly busy most IT departments and support companies as they struggled to cope with the volume of updates coming out of Redmond. My laptop, for example, required three separate update events (in a normal month it’s just one) - receiving no less than 15 separate critical security updates.
But Microsoft isn’t the only software company to have discovered flaws in its software, and at least it is doing something about the issue.
So it’s not just Microsoft then?
Forget Microsoft, it’s not even just desktop PCs or servers - it’s anything which contains software which could be affected.
At home, for example, I use reputable brands of ADSL router and firewall. After just six months they have clocked up seven “critical” firmware updates between them.
There are two big myths with open source - (i) that it’s free and (ii) that it’s more secure. They stem from a misunderstanding over the term “open” - which effectively means you can look at the source code.
Source code is like the transactions in an accounting system - it’s the basic building block of a software application. The finished product (like a set of statutory accounts) has much less detail, so you cannot see what’s going on under the bonnet. In “closed source” software, you’ve no idea what’s underneath.
With open source systems, you get to see exactly how the software was written - and the theory goes that this greater level of scrutiny, and ease of being able to modify that software results in more secure systems. In reality, the source code is also available to hackers, who may use that knowledge to their advantage.
The surge in critical updates
The recent surge in critical security updates has surprised many observers - but it follows a fairly typical pattern:
- Every so often, a novel or subtle way of attacking a system or application software will be discovered.
- Sometimes, this vulnerability isn’t a one-off. The particular piece of software concerned might also appear in multiple places - either within the same application or in other applications.
Recent updates have also been compounded by a change in the way Microsoft handles “mitigating factors”. In the past, security ratings may have been lowered if an exploit required the user to take action such as being drawn to a website. The explosion in phishing combined with the power of spam means that such exploits are now routinely classed as critical, as so many users get caught out.
If you don’t patch your equipment - it’s likely to be bad news. The Internet is currently a breeding ground for Trojans and other nasty software designed to steal personal information or online bank account details. Combined with an unpatched “exploit” often means that it’s possible to secretly install such software without the user ever knowing - and the chances are your anti-virus software won’t spot it either.
The best way to keep safe is to keep your software up to date. That means all software, in all devices, not just your desktop PCs.
- Start by bringing your asset register up to date (or make one if you haven’t got one!) - documenting all systems and software used on your network. Don’t forget items such as routers, firewalls, managed switches, telephone systems, banking devices, etc.
- Don’t rely solely on automated tools such as Windows Update to protect your network. Windows Update only covers certain core products, ignoring for instance certain versions of the Office suite and in some cases backoffice products such as Exchange or SQL Server. And it won’t cover any non-Microsoft products at all.
- The best all-round scanner for security updates on the Microsoft platform is the Microsoft Baseline Security Analyser - this software is the only reliable way to check whether updates are required or if they have been successfully applied.
- For larger networks, consider using Microsoft’s Windows Server Update Services - this lets you run your own version of “Windows Update” on your network - reducing bandwidth (only one machine needs to download each update), and giving you more control over what’s installed and what isn’t.
- Public facing systems are obviously more exposed and tend to be live 24x7, so priority should be given here. Focus on ensuring that Email and Web Servers, along with Routers and Firewalls are kept fully up to date to protect your perimeter.
- Before you can update any system, you’ll need to understand all of the underlying components which make up that system. Your web server, for example, might be Apache running on Linux, and host a MySQL database driven application written in PHP. That’s potentially five separate things to update and manage: Linux, Apache, MySQL, PHP, plus of course the web application (.php files) itself.
- Check out manufacturer’s websites for latest updates as well as policies regarding updates (especially when support may be reduced on an older product). Where possible register for automatic notifications by email so that you can keep abreast of developments as they happen.
- One excellent resource is www.securityfocus.com which documents the updates for almost all software and hardware products out there.
- Before updating critical systems, take extra backups and carefully follow any release notes or guidance (for example, to disable certain services beforehand).
- Once you’re satisfied that all is well, take another back-up - so that you don’t have to do the whole thing again if you need to restore the system later.
Stewart C. Twynham MBCS MIEE
© Bawden Quinn Associates Ltd, 2006
By the same author:- Website security guides
- Web security Part 1: How safe is your site?
- Part 2: Anatomy of a hack: It only takes a few minutes
- Web security Part 3 - How to secure your site?
Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection