It seems like every day we wake up to read about yet another attack made possible by one or more vulnerabilities. Even WordPress became the target of an SQL injection attack that affected over 300,000 sites. Android, iOS, Windows, even Linux all find themselves vulnerable.
At some point, one of the first questions you might ask is, “Why?” The simplest answer is “Because it’s possible.” The not-so-simple answer (the one that is far more dangerous) is because there is both profit and power to be had. An entire industry centered around ransomware has risen over the last few years. Unethical hackers have taken to making it their business to profit off of their ability to hijack your data.
But don’t get me wrong, I know that computer systems have suffered from vulnerabilities for a very long time; and that no computer is perfectly safe, so long as it is connected to the internet. Even so, it seems we’ve reached this event horizon with hacking where banks, nuclear power plants, cars, IoT devices, smartphones, servers, desktops, refrigerators, HVAC, thermostats, you name it, all exist with a target on their metaphorical backs. And it seems, no matter how much experience and skill you have, those devices remain at the whim of developers who (hopefully) work with the diligence of a beaver to patch discovered holes.
Thing is, no matter how hard those developers work on solving the vulnerabilities in their software, their work fails when end users don’t bother to apply the updates. And that, my friends, is key to your data security.
I’ve heard just about every possible excuse on the planet for not updating a system. I once knew an administrator that refused to update an old HP-UX box, simply because the uptime was reaching two years. This particular machine still served a purpose and was connected to the network, running a software stack that was considerably out of date.
Other excuses range from not having time, to updates being a hassle or confusing, and even some users/admins not even understanding just how crucial they are.
I spend a good amount of time covering Android, and how important it is to check for updates on a daily basis. The truth is, that advice doesn’t only apply to consumers and their smartphones; it works for business users and system administrators as well. And don’t think, for a second, I am clueless as to the timing of update/upgrading. You can’t just run an upgrade that will send systems off line for any given period of time–not during business hours, when uptime is crucial. However, that does not excuse those same systems from being updated.
Not now. Not going forward. We live in an age where updates are as critical as uptime. Considering how much downtime you stand to suffer, should your systems be crippled by an unpatched vulnerability, the concerns for uptime tend to disappear.
It cannot be denied that the onus for resolving vulnerabilities rests on the developers. Without programmers, white-hat hackers, bug hunters, and other such entities, we wouldn’t know of the existence of flaws and those flaws wouldn’t be patched. When those vulnerabilities are patched and the software shipped, guess where that onus shifts? That’s right…the users of the product. When those updates are released, and are not applied, the fault for system compromise does not lie in the lap of the manufacturer or developer, but on the owner or administrator of the system. And although I beat this drum almost weekly, this is an edict that must be repeated over and over and over and over…
Update. Your. Systems.
Be they smartphones, desktops, servers, tablets, laptops…update not just the operating system, but the software. Any piece of software you use, keep it updated. Every stack –Android, iOS, MacOS, Windows, Linux, Apache, MySQL, IIS, Exchange, LibreOffice, Thunderbird, Chrome, Firefox, Candy-freakin-Crush — no update should fall through the cracks at this point.
Why? Because if you fail to update, you are vulnerable to attack and it won’t be a matter of “if” but “when”.
Have I made that clear yet?
Stop with the excuses
I get it–especially in the enterprise and other sized businesses–there is right and a wrong time for updates. When bottom line is the bottom line, you cannot update at your whim; these things must be scheduled. But that is no excuse to continually put off that inevitability. And I also get the idea that, with some platforms, you never know if an update is going to forward, backward, or sideways. In those instances, make sure you have a bare metal backup and run the updates anyway. With that bare metal backup available, should an update break, you can always return that system to a working state.
Otherwise? Well, you know what eventually happens to systems that continue to go unpatched.
And with that, I have systems to update.