I believe it is imperative that, as a security professional, I need to make everyone aware that cyber criminals, to a certain extent, do not care what day, month or year it is, and neither should we. If there is an exploit or vulnerability be found, the fill find it!
That is where our super sexy security subject for this post comes in – Patching!
I’m sure we all know what patching is at a high level, but we may not all know why we should be ensuring that patching is done on a regular basis, as well as how to make sure that it is done in a secure manner. These are all points that I would like to highlight as part of this security knowledge nugget.
Patching essentially involves the implementation of updates to software, such as operating systems and applications, in order to:
- ☠️ fix security issues or vulnerabilities
- 🤖 implement updated or new features and functionality
- 🐞 resolve bugs and broken features
Obviously, seeing as this is an article about security, we are mostly concerned with the first point above, but that doesn’t mean that the others should be disregarded. I see the implementation of new features in a software update as an incentive to users to update, and as a “side effect” implement better security within their application or operating system. Admittedly, it should be the other way around, but realistically speaking, users are much more enticed by shiny new features. This mindset, however, is thankfully changing, with more and more users concerned with the security of the applications they use and how their data is being handled and protected.
Moving on, there are some important things to note when dealing with software updates and to ensure that patching is performed in a safe and managed manner. The following are some guidelines that we should all follow:
- Updates should only be retrieved from trusted sources ✅
- Beware of unsolicited update pop-ups from unknown sources 🛑
- Updates should be installed as soon as possible, especially if they involve critical security fixes 📛
That last guideline however, has some caveats to note, especially in an enterprise environment. Some updates have unforeseen issues that are usually reported to the provider a few days after they are released to the public. Therefore, unless there are critical security fixes that need to be applied, it is good practice to wait a few days to apply these and monitor updates from the supplier in relation to the patches in question. Alternatively, updates can be applied to test or staging environments first, tested on these environments, and then applied to live or production environments. The methodology used will depend on the setup of an organisation’s infrastructure.
As some final food (or drink) for thought, the following poster from Proofpoint provides an amusing yet interesting analogy with regards to the application of updates, so I thought it pertinent to the content of this article.
On that note, I’d like to thank you all for taking the time to read through the first few security awareness articles and I really hope that you are finding these snippets useful and that they have helped you think about security from a different perspective.
In the end, more knowledgeable individuals, families and companies usually leads to a more secure digital ecosystem and a safer digital world, which is good for all of us.