You can read the first part of this series here.
A recent paper from the Center for Strategic and International Studies contains some striking cyber security statistics. It included the fact that more than 90% of successful corporate network breaches required only the most basic techniques and that 75% of them exploited known vulnerabilities in commercial software. In summary, hacking is easy because computer systems have widely known vulnerabilities that can be exploited by anyone possessing basic computing skills and access to the internet.
Why updating your software is so important
Research from the DOD Defence Signals Directorate has established that just four mitigation strategies can prevent more than 85% of attacks. These strategies are:
- Application Whitelisting
- Operating System Patching
- Application Updates
- Restrict Administrative Privileges
Note that two out of the four mitigation strategies are about updating the software that is already installed on computer systems.
Operating System patches are issued by the vendor when a software defect has been fixed. Generally patches are classified in order to indicate the severity and impact of the problem they resolve. Rather than issue them individually most vendors collect their patches together in the form of periodic updates to their Operating Systems.
The speed in which a patch must be deployed depends on its potenital impact however newly discovered vulnerabilities are ruthlessly exploited by hackers so once a security patch has been released the clock is ticking…
Keeping desktop applications up to date is as important as patching the underlying Operating System. The difference comes from how updates are packaged and delivered, with less distinction made between the type of fix and its severity. In terms of deployment, some applications incorporate a self-update feature and others rely on the end-user or system management tools.
Why is software so often out-of-date?
Large organizations typically automate the task of software deployment using management tools such as Microsoft System Center. This should result in updates being deployed to all devices in a timely manner however there are still reasons why this fails, for example:
- Devices are switched off at the time of the update
- End-user intervention is required such as a reboot
- Software must be deployed over slow network links or to remote users
- The computer system is considered business critical and therefore updates must go through an approval process
These issues can be solved using modern systems management tools such as Nomad and NightWatchman however the challenge for most organisations is that the problem is hidden. Why not benchmark your organization to find out how you are doing?
In my next article I will look at the final mitigation strategy – restricting administrative privileges.
I found the following papers extremely useful when writing this blog series:
- Center for Strategic and International Studies – Raising the Bar for Cybersecurity
- DoD Defence Signals Directorate – Top 4 Mitigation Strategies to Protect Your ICT System
- SANS Institute – Critical Controls for Effective Cyber Defense