Update Fatigue is a Huge Cyber Risk
Tony Vizza
Digital Risk and Governance Executive | Cybersecurity, AI and Privacy Practitioner | Digital Law | Board Director | Independent Expert
The IT industry must learn to do better to ensure that 'Security by Design' is at the forefront of software and application development.
'Drop Everything and Update'
Late last week, Apple issued a critical update for a wide range of products that patched a significant security vulnerability that it was alerted to. As an avid user of Apple products, I quickly installed the patch of the range of Apple products that my family and I own. All up, I would have dedicated 2-3 hours over the weekend to updating my Apple operating systems to the latest versions.
As I was updating my operating systems, I remembered that given its been a busy few months, it would be prudent to see if there were updates on my other compute devices (NAS and Windows machine), network devices, (firewall, switch, access points) and of course check that the apps installed on all of these devices were also up to date.
I should note that ordinarily, I update my devices religiously, however of late there simply has not been time due to increasing workload, 13 weeks in lock down and too much going on.
So far, my updates have included:
- Apple laptop operating system
- Apple smartphones operating system
- Apple tablets operating system
- Windows computer operating system
- Network storage appliance operating system
- Firewall operating system
- Switch operating system
- Access points operating system
- Apple laptop productivity tools
- Apple laptop browsers
- Apple laptop music streaming software
- Apple laptop VPN software
- Apple laptop EPP software
- Network storage appliance applications
- Printer Firmware
And the list goes on.
Figure 1 - A few of the things you need to be doing to stay on top of your home cybersecurity challenges (Source: Tony Vizza).
The Importance of Patching and Updates Should not be Understated
Now, I am acutely aware that one of the cardinal things to do from a cybersecurity perspective is to patch systems and applications. In fact, these two things make up two of the ASD Essential 8 steps to mitigate cyber risk as well as are fundamental aspects of ISO 27001 and NIST in order to seek to attain good cybersecurity hygiene. So the importance to individuals and companies in regularly updating applications and operating systems to prevent cyber breaches is not lost on me in the slightest......
However........
There are two sides to every coin here. Let me explain.
领英推è
Product Recalls vs Software Updates
My family owns a Toyota Corolla manual hatchback. In the very early days of our relationship, my partner decided to buy a manual while I vehemently protested at the time that manual cars were awful and automatic was the only way to go.
Fast forward almost a decade and I personally love driving this little car more than I like driving our other car, the far newer automatic family car with all of the mod-cons.
The reason why I discuss the car the kids refer to as 'Silverfox' is that since we have owned the car, the Corolla has received two product recalls related to faulty airbags, the same recall that has affected millions of cars around the world. That's right....two. The car gets regularly serviced, where (I suspect) additional updates are run on the car CPU, however, I have only ever had to directly intervene in a recall situation twice. And I note that this has been alot given that for all of the earlier cars I have owned, I only once had to take the car into service for a recall type situation.
Now, I understand that IT systems are more complex from a coding and complexity perspective than a car may be, however, to expect that individuals will drop everything to update their systems in a never-ending rigmarole of updates and restarts is simply not sustainable long term. Not to mention the fact that apathy will often set in long before time constraints get in the way.
Solving the Issue through Better Software
If we consider the magnitude of the cyber situation, where a cyber crime is being reported every 7-8 minutes, its become clear that software development has a critical role to play in the mitigation of risks and vulnerabilities. Yet, even today, for many app developers who embody the principles of agility and innovation into their raison d'être, security is more often than not an afterthought at best, a bolt-on at worst.
While this is slowly changing, particularly from a regulatory perspective (for example through the European Union GDPR and the California CCPA), the issue is light years away from being solved.
There are certainly ways to address security issues within software. Some of these ways include:
- Ensuring that a 'security by design' and 'privacy by design' mindset is adopted when designing, writing, implementing and testing software.
- Ensure app and software developers are trained and certified in the art of secure coding. An excellent way to achieve this is for software and application development professionals to attain the CSSLP (Certified Secure Software Lifecycle Professional) certification.
- Static code review by qualified and experience software testers.
- Dynamic security testing of applications by experience software QA and security professionals.
- Disabling options that are not required for the application to function.
- The use of secure code repositories in application development
- Enabling auto-updates of applications and ensuring that users are only alerted when an update has not been installed.
Conclusion
The NIST National Vulnerability Database (NVD) published 32,524 vulnerabilities in 2020, an all time record. It is clear that software bugs and vulnerabilities leads to the need for updates and patching, which in turn drives a huge amount of manual input required for individuals and organisations to remain cyber safe and secure. What is also clear is that the IT industry must do more to address the root cause of many of these software vulnerabilities - that being to create more secure and robust software and applications.
Tony Vizza is a certified and qualified IT and cyber security professional with over 25 years of hands-on experience in the field. You can learn more by visiting www.tonyvizza.com. Opinions and views expressed in this article are his own.
Professor of Cybersecurity and Behaviour
3 å¹´security fatigue is a real thing ... I still haven't been able to patch everything !
Cyber Security Sales Specialist
3 å¹´Tony Vizza, CISSP, CCSP lucky you have a robust backup recovery in place of a failed patch. ??
CISSP | CISM | CRISC | CCSK | CCZT | OSMEP | Digital Risk Governance, Strategy and Resilience | Advising executives on cyberrisk-aware business decision making
3 年“The software supply chain presents a systemic risk to businesses, governments, and society at large. Just as Coca-Cola cannot ship soda laced with cyanide, and Frito-Lay cannot ship potato chips packaged with rat droppings, we need Microsoft, Oracle, Adobe, Google, Amazon, Apple, Facebook, etc. to stop shipping unsafe and insecure software. " -- Raj Goel, CISSP, CTO of cybersecurity provider Brainlink; taken from the (ISC)2 InfoSecurity Professional Mag., May/June 2021. To better illustrate the point - CVSS Score Distribution for Vendors and Products, respectively: - https://lnkd.in/dg-9J_6 - https://lnkd.in/eqeDPqc
Account Manager Food Vertical at NJMEP - CISSP Cyber Associate, Rutgers University
3 å¹´The turtle vs the rabbit story has huge applications for companies pondering investing in cyber security. Certainly the (ISC) has taught all of us the value of designing for security, updating/config./... (Security by Design) on a consistent schedule, and the overall need to take care of your network's cyber needs. Turtle discipline (and can be at a rabbit's speed) will take the lead over out of control rapid advance then production/brand collapse scenarios. TY for the article.