IT Risk #4 – Software Updates

IT Risk #4 – Software Updates 150 150 Shandam Consulting

Software vendors often discover issues with their software may affects its performance, stability, security or functionality after it has been released that. To address these problems, they release software updates (or “patches”) along with a detailed explanation of the vulnerability and its associated risks.  Hackers know this, and what better way to “discover” a critical security flaw than have its maker tell you about it and how to exploit it?

“Warning, you can receive free pizzas if you call Joe’s Pizza shack and ask for the “secret special!  Please tell everyone you know not to do this!”

You can see what would happen, and software developers have unwittingly created a hacker ”to do” list when they publish the weaknesses of their software.

Hackers also know that updating software is difficult for organizations, and that it takes time between when the vulnerability is discovered and when the updates gets applied.  It is not uncommon for this interval to be months or even years.

Therefore, one of the simplest and lowest cost ways an IT organization can increase network security is to deploy all high-risk software updates as soon as possible.  The update process can be manual, but it is preferable to use an automated software management system. This ensures a higher compliance rate since automated systems can update hundreds or thousands of computers simultaneously. It also allows for auditing and reporting of the software inventory to quickly identify any unpatched devices.  Software management systems are sometimes provided free by a particular vendor (i.e. Microsoft) but in general, most multi-platform software management systems are commercial products that must be procured, installed, configured and deployed. Here are some general guidelines for managing the software update process:

  • Update all your servers and workstation as soon as possible, even if it involves someone from IT visiting workstations to perform the update.
  • Develop a plan to automate this process utilizing software automation tools.
  • Use automated tools to run quarterly reports to validate that all servers and workstations are being updated.
  • Develop a method to address software updates for mobile and work from home users, who are often conceivably, the highest risk to hacking due to their exposure to insecure environments.

In general, computer software vendors are getting better about software security. Hackers know this, and have been focusing on older, unsupported software. Continuing to utilize obsolete or unpatched software will increase the risk that your organization will be affected by viruses and malware.