Update! Update! Update!

Read all about it!

The last days of Cybersecurity Awareness Month are upon us. By Thursday, we’ll all be so cyber-aware the cybercriminals won’t have a chance against us! If only this were true. Instead, cybersecurity awareness is a yearlong, never-ending goal. The threats don’t stop, and they even increase over the next two months as people head to the holidays. We hope the awareness bump from October will help people recognize and report all the phishing attacks they’ll be seeing. And we hope they’ve enabled MFA to protect their accounts if not. And lastly, we hope they’re using strong passwords, especially when MFA is not an option.

But to close things out for the month, the last topic to explore is software updates. If you’ve seen my posts this week, software updates are designed to fill the holes in our defenses caused by vulnerabilities. We build layers of defense because we know there will be vulnerabilities at each level. We hope our holes look like Swiss cheese and none of them connect straight through. Because when they do, bad guys can exploit each weakness and cause harm. We also touched upon software updates being their own form of risk. They’re replacing known problems with unknown problems. Both the SolarWinds and CrowdStrike incidents were caused by software updates. The first was malicious and the second was an accident – but either way, the harm was real.

For my last Cybersecurity Awareness Month newsletter, let’s dive into what software updates are and why they need to exist at all. The other three awareness goals (strong passwords, enabling MFA, recognize and report phishing) are all designed to protect you against direct attacks. Bad guys are always trying to directly break into accounts or steal information from you. Software updates exist, not because of actions by bad actors, but because of the complexity of software. Writing software is challenging. We’ve come a long way in the last 60 years. We no longer need punch cards and now our AI assistants can even write the code for us. But all the advancements haven’t made it easier to program, they’ve just made it easier to write code faster.

What’s the result of writing code faster? We have a lot more code in the world than ever before. What’s a common downside of doing something faster? You’re likely to make more mistakes. Our modern advantages focus on building software quickly and cheaply. Quality has seen slight improvement but remains a slower more manual process. The result is there are a lot of bugs in the world of modern software. Some of those bugs are functional and keep it from doing what it’s supposed to do. Others are hidden and create vulnerabilities in the software. Either way, they’re both software defects and come from the same source.

Software vulnerabilities typically come in three flavors: unexploitable, exploitable, and exploited.

Software vulnerabilities are typically not visible to the intended user. Instead, they appear when someone uses the software in unexpected ways. They cause the code to do something it wasn’t designed to do – which then results in causing the program or computer to crash or to return information which was supposed to be hidden. Software vulnerabilities typically come in three flavors: unexploitable, exploitable, and exploited. Unexploitable vulnerabilities are problems within the code but can’t be reached by any threat because of how the code is structured. Exploitable code means a threat actor could exploit it to do harm if they have access to the right part of the software. Exploited means that the bad guys have actually used it to cause harm in the real world.

There are also two phases of a software vulnerability: discovered and patched. When a software vulnerability is first discovered – either by researchers or threat actors – if its exploitable, it’s known as a zero day. These are particularly risky because the bad guys might know about them before anyone else and they can use them to get into systems. It means you’ve got a hole in your defenses, despite your best efforts. On the other hand, patched vulnerabilities are ones which the original provider of the software is aware of the vulnerability and has written an update to fix it. They have then tested the fix (we hope) and put it into a distribution package for the users of the software to install. If you want to patch your copy of the software, you just have to download it and apply it to your systems.

If you’re breached because you haven’t patched a known vulnerability, then it becomes a question of why you didn’t patch it. As many know, there can be many reasons why you don’t immediately install a patch. Sometimes it’s because it may change other behaviors of a system. For example, there was a long-standing bug in a Microsoft library. It had been there so long that other third-party software relied on it and took advantage of the functionality it caused. Eventually, Microsoft patched it, and suddenly all the third-party libraries stopped working. If your business process relied on the third-party libraries software and you installed the patch without testing it – you could be down for the count.

If you have a good cybersecurity program, with appropriate “defense in depth” and monitoring – delaying a patch shouldn’t cause immediate harm.

Part of a mature IT risk management program is understanding the risk of installing software updates and weighing it against the risk of not installing them. If you have a good cybersecurity program, with appropriate “defense in depth” and monitoring – delaying a patch shouldn’t cause immediate harm. You should have the same protections in place as you’d have for a zero day – to detect actual breaches and cut them off before they do harm. This allows you to test the patches and then only move them to production systems once you know they won’t be creating a new problem.

Software vulnerabilities are a natural part of the software development process. Their presence, in isolation, doesn’t mean the provider of the software is bad at writing software. If they frequently have vulnerabilities, then perhaps there’s a reason for concern. But all software which is accessed by other computers will have vulnerabilities. The main question is how frequently they are found and patched before they can be exploited. And they should provide enough information about what is changing for you to be able to do good testing on the update before you distribute it wisely.

For most consumers, the choice should be to install updates automatically, as they’re published by their company. For Internet of Things (IoT) devices, smart home devices, and similar, you typically don’t have a choice about how frequently they’re updated. If they’re online, they’ll update automatically whenever the vendor releases a new version or a patch. Businesses, of course, need to do the risk balancing so they don’t end up with a broken production system. But, whether for home or business, it’s important to make sure you’re installing the patches as soon as possible, especially when dealing with the exploited ones. This practice will help keep your information as safe as possible and not put another hole in your defense a hacker could walk straight through.

Episode 9 - Patent Pending

My latest podcast episode is now available on your favorite podcast streaming service. My guest is Jon Hobbs PhD , a patent lawyer, and we discuss how patents are an important part of protecting your business and increasing its value.

Interested in being a guest on my podcast (or my Business RadioX show in-person in Atlanta)? Send me a message!

Week In Review

We're in the final stretch of Cybersecurity Awareness Month and then its Halloween! Do you dress up or celebrate it?

Here's what awareness topics we talked about this past week:

• MFA isn't always enough (A poll)
• Is FIDO your MFA? (A poll)
• My Latest The National CIO Review Article about making Cybersecurity Awareness Fun
• I like Swiss cheese (A poll)
• Update your software! Carefully (A poll)
• Software patches and networking are similar (A poll)

Take a look, vote in the polls, share in the comments, and join in the conversation!

In Conclusion

Only two more posts about cybersecurity awareness and then a hop and a skip to November! Two years ago (my first year in my LinkedIn journey), I posted a different year of gratitude each day of November. Last year I made it "New-vember" and talked about all kinds of new ideas each day. This year, I'm shifting the lens and it's going to be "New-You November" - with topics about how you can grow in your profession, your skills, and more.

On that theme, if you are looking for a new job and want to be in the job seeker spotlight, the You Just Found ME?? job seeker spotlight is free to all jobseekers! Send me a note!

As I'm growing my business, I'm looking at how to engage with private equity firms, law firms, and start-ups facing their next challenge - so if you're connected to any of these worlds, let's chat soon! I also offer referral bonuses to any work you bring me through Mirability, LLC - if you're interested. If there's anything I can help you with, I'd love to hear about it.

I hope this coming week is exactly what you need it to be!

Thanks, as always!

Be sure to check out my new online merchandise. Remember, 100% of the profits for any You Just Found ME merchandise goes to support that program for job seekers!

https://www.cafepress.com/shop/Mirability

If you want to keep up with everything I’m posting, click here and also the bell (??) to be notified when I post!

Follow You Just Found ME?? to help support job seekers!

Follow Mirability, LLC to learn more about how I'm solving unique technology problems!

Subscribe to my Substack here: https://ebspoke.substack.com/

I'm on Medium as well: https://ebspoke.medium.com/

Check out #EBSpoke for more of my recent posts here...

About Erik

Erik Boemanns is a technology executive and lawyer. His background covers many aspects of technology, from infrastructure to software development. He combines this with a "second career" as a lawyer into a world of cybersecurity, governance, risk, compliance, and privacy (GRC-P). His time in a variety of companies, industries, and careers brings a unique perspective on leadership, helping, technology problem solving and implementing compliance.

He's available to help you with any of this now too!