Most successful exploits are against unpatched computers. Fix that, and you are suddenly a good deal safer.
All the big computer criminal headlines these days involve major failures and theft. One of this year’s biggest stories was the recently told (to people) theft of a stunning $1 billion from banks thanks to a group of computer criminals holding harmful programs or apps and social engineering skills.
The action is what gets all the attention, not the weaknesses (that could be used to hurt something or someone) that allowed the action.
The most serious and neglected weakness (that could be used to hurt someone or something) is lack of patching. Nine out of ten successful hacks are waged against unpatched computers.
Anti-virus and anti-malware programs or apps is completely and totally critical. But these tools only block known attacks. More and more computer criminals go after weaknesses (that could be used to hurt something or someone) that haven’t been discovered, or if found, haven’t yet been plugged.
Here is the picture/situation. A computer criminal discovers a flaw and crafts or (quickly puts together) code to fully use (for profit) it. Or a security (person who works to find information) publishes the detail of the flaw. Either way, the vendor rushes out a patch and most think all is well.
Those that quickly and perfectly installed the patched avoided a bullet. The problem is that a minority of shops fall into this category. Little more than a third of small businesses regularly patch their systems, or so says a survey by the Federation of Small Business in the UK.
The patch itself is a (map of roads/plan for doing something) for a successful (bold or daring act). Once released, computer criminals craft (bold or daring acts) that go after the hole the patch is meant to fix, knowing that not all shops will install the patch, and those that do may not hit all computers. The machines that aren’t patched are sitting ducks for computer criminals.
Some shops are great at patching Windows and other Microsoft tools and applications. This is all thanks to Patch Tuesday, the second Tuesday of every month when Microsoft releases fixes.
Unfortunately, not all of these fixes get installed. Even worse, Microsoft may be the least of your patch worries.
Why is patching so thinly distributed?
Patching is not 100% for (more than two, but not a lot of) reasons. Unpatched computers are not always seen as a weakness (that could be used to hurt someone or something) concern. And patching, without the proper tools, is time using/eating/drinking, expensive and very hard.
“Customers may shy away from dealing with regular patching or overdue software upgrades because they have concerns about price, time, or complex difficulty. However, based on our conversations with customers, an ‘only as-needed’ approach to software support is short-sighted, and could expose customers to security and (following the law/doing as you’re told) risks, and losses in employee working well and getting a lot done and business money/money income depending on the software involved,” wrote Ovum analyst John Madden in his “Avoiding security risks with regular patching and support services” report.
Besides patching, Madden also suggests using the latest versions of very important software products. Windows XP, for instance, is now in a very well-known way unsupported. “In some events, customers are using older product versions that are no longer supported or patched, so an upgrade is the most effective way to make sure their patching program, and their overall security profile, is best,” Ovum argued.
Pressing patching concerns
While it doesn’t usually make headlines, patching is more very important than ever. Two factors make proper patching very important. First, computer criminals are more fancy (or smart) than ever, and they now include state-sponsored hacking groups and organized crime.
Useful things/valuable supplies
And there are more and more apps installed in today’s shops, apps of increasing complex difficulty, and large attack vectors.
Gartner research also carries/holds the idea/plan out. “In the darkest woods of IT, patching third-party applications on a desktop remains a significant challenge for many organizations. Patching server OSs (Windows and Linux/UNIX) and third-party server applications also remains challenging due to easily-broken quality of many server (surrounding conditions). Add virtualization to the mix – and you have a full-blown slow-cooking disaster. And then you have Java…a security disaster in a league of its own,” wrote Gartner analyst Anton Chuvakin in a recent (shared online writing page). “Java, Adobe Reader and Flash, Firefox, Magician fat clients as well as many up-and-down and business-specific applications are often patched MUCH later than Windows and Office.”
Worst Law-breakers include Magician and Adobe
Microsoft has its fair share of patches, sometimes releasing over twelve on Patch Tuesday. The good news is that many Windows client patches are installed automatically through Windows Update – if your copy of Windows is legal/real and true and (compared to other things) up to date.
And Windows Software Update Servicers (WSUS) does a decent, if not fully automated, job of sending out and using server fixes.
The big new law-breakers are Magician (Java in particular), Adobe, and even Apple with QuickTime and iTunes. In fact, Magician has been known to release well over 100 patches in a single batch.
The answer: Get organized, go multi-(raised, flat supporting surface), and automate
In the early days of patching, IT shops used a wholely manual process or built their own patching tools. Neither approach can keep up with the growing patch attack or the more and more multi-(raised, flat supporting surface) nature of the problem.
The first step is to make sure your staff is organized to patch properly. Who is responsible and how are they held responsible?
Next up, conduct an (amount or quantity of items stored now) so you know what you have to patch, and be sure this process is regularly repeatable or that new machines and bits of software are automatically discovered.
Finally, look for tools that can automate the patch process, patch many machines, OSes, apps and tools, and that can track and report deeply on patch status.