Learn why it’s important to update your software and install security patches.
|By: George Mateaki|
SEE ALSO: PCI Requirement 6: Updating Your Systems
- It takes time
- They aren’t aware of the update
- They don’t see it as necessary
- The equipment doesn’t support the update
software and applications regularly.
SEE ALSO: How Long are Businesses Vulnerable Before a Security Breach?
What are security patches?
Even the best software can eventually have a vulnerability show up.This is where patching comes in. Security patches are pieces of software or code that help rectify a vulnerability the software/code may have.
For example, the DLL hijacking vulnerability allowed cybercriminals to include files that Microsoft automatically opened in the folder related to MS Office documents. This “feature” allowed the execution of malicious software. I used this as part of my penetration testing to check if users would open files on an unknown USB drive found in the parking lot. Microsoft eventually patched this flaw that affected all versions of windows.
Patches can be distributed two ways, as a source code, or as an executable file. Source code is a common way to apply updates, but requires a recompiling program, while patches for proprietary software are often distributed as executable files. Most systems and applications have a utility that facilitates checking for and applying updates.
Some companies regularly release security patches and updates for their software. Microsoft releases these patches every 2nd Tuesday of the month, coining the term, “Patch Tuesday.”
Why should I update software?PCI requirement 6.1 states that merchants must “deploy critical patches within a month of release” to maintain compliance.
Just like you should clean and cover your cuts, you’re responsible for patching your business’s security where needed.
Technology is constantly changing. And alongside it, data thieves are coming up with new techniques to find and exploit vulnerabilities in software. No matter how secure your software may be, over time, a vulnerability will arise that can be a cybercriminal’s gateway into your business.
SEE ALSO: A Hacking Scenario: How Hackers Choose Their Victims
Patch management tipsIt can be difficult to keep track of what software needs updating and what patches have been released. Here are some basic steps you can use to perform patch management.
- Get the notification from vendors and third-party organizations on new updates and patches.
- Do a risk analysis to see if this update applies to your business.
- Come up with a plan to install the security patch.
- Test the security patch before you implement it. Make sure the patched software is working properly.
- Install the security patch in your business environment
- Make sure the patch is properly installed and the systems still perform properly. Sometimes patches can cause other systems to stop working, especially if they’re installed incorrectly.
- Update all your documents to include any changes made or patches installed.
- Get on your vendor’s patch/upgrade list: You can’t update anything if you don’t know about it. Most software vendors have a patch/upgrade email list. Ask them to put you on it to stay current on patches.
- Establish a schedule: For some software, it may be easier to update it on a regular basis. Make a schedule that outlines when and how you’ll install updates.
- Update within 24 hours of patch being released: the longer you wait to update, the longer your business is vulnerable.
- Do vulnerability scanning to find security holes: by scanning your software regularly, you can find vulnerabilities that need to be patched.
No matter how you do it, you should be vigilant about updating the software associated with your system. Make sure your business doesn’t suffer a breach simply because your software wasn’t up to date.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.