NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
Cybercriminals constantly look for new weaknesses to exploit in applications, software, servers and devices. Those exploits allow them to get access to a device and use it for malicious purposes such as stealing confidential data. In order to counter those exploits, vendors always work on fixing newly discovered vulnerabilities to make sure their products stays secure. Those fixings are made available to the customers through the release of an update. It is thus important for an organisation to keep their software and devices up to date.
Since it could only take one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to the entire environment. Installing updates as soon as they are available is thus crucial to ensure a strong cyber defence and to make sure that the system version being used is still supported by the vendor.
There are two different types of updates to take care of. On one hand, there are updates that aim at fixing security vulnerabilities to make sure a product cannot be compromised. On the other hand, there are updates that aim at enhancing a product from a functionality point of view. Both types are equally important and should be installed as soon as they are available.
To efficiently manage the update process, an organisation should define a series of rules to establish, amongst others, what should be updated, how frequently, who should monitor the availability of new updates and who should make sure they are installed.
Only install applications (operating systems, firmware, or plugins ) needed to ensure your operations and patch/update them whenever possible.
Third-party software, such as browsers, program extensions and middleware, should also be updated regularly. They represent common ways of exploiting users because of their interactivity.
When collaborators are working on their device, they tend to ignore update notifications so they don’t interrupt their work or lose time waiting for the update to be completed. As updates sometimes take time, it is better to plan them during non-working hours or during less busy periods. Do not plan major updates on a Friday evening to allow potential support in case of problems.
Cybercriminals display fake update notifications through advertising messages or pop-ups. It is important to download an update only from the official vendor to avoid installing a virus instead. In addition to paying attention to the legitimacy of the website, what is included in the update should also be reviewed to avoid ticking boxes for unneeded features such as an advertisement add-on.
You should only install a current and vendor-supported version of software you choose to use. It may be useful to assign a day each month to check for patches.
Wherever possible, if the system allows it in its configuration, automate the download and installation of new updates to make sure to always have the latest and more secure version released by the vendor. In addition, make sure the update works correctly by checking it manually.
Besides that, there are programs that can scan resources and look for updates needed, in order to give an overview of what should be installed.
There are products which can scan your system and notify you when there is an update for an application you have installed. If you use one of these products, make sure it checks for updates for every application you use.
In order to avoid missing a crucial update, organisations need to keep on monitoring the availability of new updates for the devices and software they use on the vendors’ websites. In addition, it is also important to establish when a product is no longer supported by the vendor, as it then reaches an ‘end-of-life’ state. That implies that new updates are no longer realized, making the solution vulnerable. It is thus better to anticipate the end-of-life state of a product and migrate the necessary resources on time. Finally, collaborators can also be restricted to install unsupported products by establishing a whitelist of all authorized ones.
Migrating to another product or a more enhanced one is not always possible and sometimes, an organisation need to keep on using the unsupported version. If this scenario happens, additional security controls must be implemented to protect the current product. A good starting point is to make sure the product in question is completely isolated not only from the rest of the organisation network, but also from outside (i.e., without any connection to Internet)
Depending of the importance of the update, the impacts and dependencies may differ. Whenever possible, the updates should be tested before its implementation. A test environment and a reference baseline are a good way to validate updates in an isolated environment similar to the production one. It can also help to test repair scenarios or failed installations
It is a good practice to backup data and systems before installing an update to make sure a working version is available in case something goes wrong. Also, it is best to make a full backup of servers before updating them. Having a roll back strategy available when doing updates on those common resources is indeed important to be able to go back to a working server as soon as possible. In addition, the procedure ensuring the roll back should be tested to reduce the negative impact an update could have.
Even with a limited number of systems, maintaining an inventory of all the assets available is allowing an organisation to manage the updates process more efficiently. This inventory must always be updated with added or removed assets to represent the current situation as accurately as possible. In addition, when a new device is acquired, it should be reinitialised to the default parameters and have all updates available from the vendor installed before being used.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.