I've written multiple articles on this blog about security. I've talked about how to prevent your website from being hacked
, and I've talked about using strong passwords
. And every week on the podcast that I host—Full Frontal Nerdity—it seems we talk about yet another big company which has been hacked or infected with malware. So they make headline news, and all their customers get another year of free identity theft protection which is a lot like shutting the barn door after the horse has already bolted. So, in this article, I'll continue my mission to talk about security and help keep you protected, and help keep your company out of the news.
Today I want to talk about one of the most powerful weapons you have in your arsenal to keep your security tight, but also probably one of the most overlooked, and definitely one of the most ignored. In terms of bad security practices, this one ranks right up there with re-using passwords, and we're all guilty of it on one level or another. We've all been there; you're working on your computer in the middle of something important, and a little screen pops up informing you that there are software updates available for your PC or Mac and that it needs to install them and then reboot the machine. Invariably, our natural response is to click the little button that says "remind me later." But that's a bad idea, and in this article, I want to tell you why. I may not be able to make you love the Update Notification popup, but hopefully, I'll be able to show you why it's so important.
Remind Me Later
In the world of software, updates are a fact of life, and that’s because no software ships perfectly secure or with all the bugs ironed out. In fact, there are only three reasons why developers release updates to your apps: Release new features, to kill bugs, plug security holes.
New features are nice, sure, and that’s why you’ll see a lot of people [crazily] running the new iPhone beta OS months before it’s commercially available, because they want the new features (never mind the fact that it’s designed for developers, and is guaranteed to crash more often than my 5-year-old playing Mario Cart). But new features aren’t crucial to security, and although they come with many updates, they are not the topic of this article.
Bugs, on the other hand, are a little more important.
Bugs are the kinds of things that developers simply can’t find by testing their app with a few close friends. They need thousands and thousands of people in the real world trying to make the app do things it was never intended to do and causing it to crash. Once the developers have that information (that’s why your computer asks you if it’s okay to send crash reports when things go crazy), they can figure out what is causing the unexpected behavior and fix it. Bugs are important, but still not critical. Although, it would be nice if Niantic could figure out why Pokémon Go keeps freezing right in the middle of catching ‘em all!
The third category, however, is critical to your security.When a software developer creates an app, he or she is thinking of all the cool functionality they can put in there to enrich your life. What they are often not thinking of is how a hacker or some other devious group could exploit a weakness in that app to either harvest private information about you, trick you into giving up that information, or worse, install malware onto your device. These kinds of security holes are a huge headache and a nightmare for the software developer. In fact, many of the big names in tech—Microsoft, Google, Oracle, Facebook, et al.—offer a “bug bounty,’ in other words a reward for people who find these security issues and report them, preferably without exploiting them first. The worst kind of security flaw is what’s known as a “zero-day exploit,” which is a security flaw that’s in the wild and being used to break into devices, but the software developer hasn’t released a fix for it yet. That leaves all of their customers wide open for attack. Not a good thing. Savvy software developers make closing security vulnerabilities in their software a number one priority. And that’s why they are constantly sending out those pesky updates you love so much.
Read the Fine Print
Most software updates come with a block of text called the “changelog,” which is designed to tell you what is included in the latest update. Sometimes it’s a simple and cryptic one-liner, “Bug fixes,” but often the developer will detail what new features have been added, which bugs have been fixed, and—more importantly—what security holes have been patched. This changelog may make for dull bedtime reading, but it is important to see what has been fixed. Unfortunately, the changelog is also a mixed blessing. When a vulnerability is fixed, and the update goes out, now the whole world knows what the vulnerability was and what to look for to exploit it. If you’ve updated your device, you have nothing to worry about. However, if you clicked “remind me later,” that vulnerability is still in the version of software that your machine is running, and now there are a bunch of hackers out there who would love to take advantage of your outdated software.
Imagine if it was announced on the news that there is a recall on the locks on your front door, and anyone could open your door at any time just by jiggling the handle really hard. Of course, you’d want to get your locks fixed immediately, before somebody decides to try out that theory while you’re at work. It’s the same situation with security software updates: the vulnerability is common knowledge in the hacking community, and your best defense is the software update tool built into your computer. Fortunately, you don’t have to call an expensive locksmith; you just need to let it install the updates and restart your computer.
Keep it Simple
Some modern operating systems allow you to opt to have your software update automatically, so you don’t have to worry about it, but they still require you to restart your device periodically. Updates typically come in two flavors: operating system updates (very critical) and third party patches (updates for the software running on your device.) Microsoft typically releases its updates for Windows and Office products on Tuesdays (called Patch Tuesday
in the IT world). Apple has been known to be a little slower to respond to vulnerabilities, but they also release periodic updates for both Mac OS X and iOS for iPhone and iPad. At Bit-Wizards, one of the core services we offer in our Managed IT Services
is managed updates and third party patching. We individually vet operating system updates and third party software updates to make sure there are no vulnerabilities, or that nothing will break existing functionality, then we push those updates to all of our clients’ computers overnight, so they don’t have to worry.
So, what is the moral of the story? Just do your updates when prompted. It might be painful to stop and reboot, but just take a break, get a cup of coffee and by the time you get back your computer will be up and ready to go and it will be safe and secure.