It seems like just about every week, another big company is hacked or infected with malware. They make headlines on the news and all their customers get another year of free identity theft protection (which is a lot like shutting the barn door after the horse has already bolted). So, let’s talk about security, help protect you, and try to keep your company out of the news.
Software updates are among the most powerful weapons you have in your arsenal to keep your security tight
This is probably one of the most overlooked, and definitely one of the most ignored, preventative measures. In terms of bad security practices, this one ranks right up there with re-using passwords. Everyone is guilty of it on one level or another.
You're working on your computer in the middle of something important and a little screen pops up saying that there are software updates available for your PC or Mac. The popup tells you it needs to install them and then reboot the machine. Invariably, our natural response is to click the little button that says "remind me later,” but that's a bad idea.
In the world of software, updates are a fact of life. This is because no software ships perfectly secure or with all the bugs ironed out. In fact, there are only three reasons why developers release updates to your apps: to release new features, kill bugs, and plug security holes.
That third category is critical to your security
When a software developer creates an app, he or she is thinking of all the cool functionality they can put in there to enrich your life. What they are often not thinking of, is how a hacker or some other devious group could exploit a weakness in that app to harvest private information about you, trick you into giving up that information, or install malware onto your device.
These kinds of security holes are a huge headache (a nightmare really) for the software developer. In fact, many of the big names in tech— Microsoft, Google, Oracle, Facebook, etc., all offer a “bug bounty.” In other words, a reward for people who find these security issues and report them, preferably without exploiting them first.
The worst kind of security flaw is what’s known as a “zero-day exploit.” This is a security flaw that’s in the wild and being used to break into devices, but the software developer hasn’t released a fix for it yet. That leaves all of their customers wide open for attack. Not a good thing.
Savvy software developers make it a top priority to close security vulnerabilities in their software. That’s why they are constantly sending out those pesky updates you love so much.
Read the fine print
Most software updates come with a block of text called the “changelog,” which is designed to tell you what is included in the latest update. Sometimes it’s a simple and cryptic one-liner, like “Bug fixes,” but often the developer will detail what new features have been added, which bugs have been fixed, and— more importantly— what security holes have been patched.
This changelog may make for dull bedtime reading, but it is important to see what has been fixed. Unfortunately, the changelog is also a mixed blessing. When a vulnerability is fixed, the update goes out, and now the whole world knows what the vulnerability was and what to look for to exploit it. If you updated your device, you have nothing to worry about. However, if you clicked “remind me later,” that vulnerability is still in the version of software that your machine is running. Now there are a bunch of hackers out there who would love to take advantage of your outdated software.
Imagine that a story comes out on the news saying there is a recall on the locks you have on your front door. It says anyone can open your door just by jiggling the handle. You would probably get your locks fixed immediately, before somebody decides to try it out while you’re at work.
It’s the same situation with security software updates. The vulnerability is now common knowledge in the hacking community. Your best defense is the software update tool built into your computer. Fortunately, you don’t have to call an expensive locksmith. You just need to let it install the updates and restart your computer.
Keep it simple
Some operating systems allow you to opt to have your software updated automatically so you don’t have to worry about it, but they still require you to restart your device periodically. Updates typically come in two flavors: operating system updates (very critical), and third-party patches (updates for the software running on your device).
At Bit-Wizards, one of the core services we offer in our
Managed IT Services is managed updates and third party patching. We
individually vet operating system updates and third party software updates to make sure there are no vulnerabilities, and that nothing will break existing functionality. Then we push those updates to all of our clients’ computers overnight, so they don’t have to worry.
So, what’s the moral of the story here?
Just do your updates when prompted. It might be painful to stop and reboot, but just take a break and get a cup of coffee. By the time you get back, your computer will be up and running, and it will be safe and secure.