By BECKY RUTHERFORD
What is one of the most important things you can do to increase cyber security at home or at work?
…Throw all your computers in the canyon and go back to typewriters
…Surround your computers with malachite to protect them from viruses
…Keep all of your operating systems and software up to date
Hopefully you all guessed that third option! For businesses, the best option is to maintain a “patch management life cycle” to keep everything up to date across your organization.
Why is this so important?
Perhaps you have heard of the Equifax data breach from back in 2017? This high-profile, high-impact data breach was due to an exploit of a vulnerability in an open source component, Apache Struts – CVE-2017-5638. Apache Struts is a commonly used web framework, used by Fortune 100 companies in education, government, financial services, retail, and media. How much did this breach cost Equifax? The breach resulted in a lawsuit, and it’s estimated they paid out about $700 million to cover losses.
What is a CVE and why should you care? CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they are referring to a security flaw that’s been assigned a CVE ID number. When a security advisory is issued it usually mentions at least one CVE, these help security professionals coordinate efforts to prioritize and mitigate these vulnerabilities.
What are some patch management best practices for businesses?
- Leverage a risk assessment framework- the key to defense is knowing what you are up against. This can help your IT group create a priority list of what is most important to patch.
- If possible, create a dedicated vulnerability team. Obviously for a small business this may not be possible, but make sure you are devoting resources to analyzing and mitigating the risks.
- Implement a vulnerability management solution to help prioritize patching. Solutions can include Netsparker, Tenable, and more. There are also some free options, like OpenVas, and some vendors offer “community editions” of their software for free as well.
It may sound like a lot of work, but when you consider how much it can cost your business you’ll find it’s very much worth it Down and dirty, what are the most important things for home users to keep up to date?
- Operating system software, such as Windows, Mac or LInux. Any time a patch is released it’s important to make that update. The easiest way is to set your machine to apply these updates automatically.
- Anti-virus software, such as Norton, McAfee, etc. If possible, set it to auto update. The cyber threat landscape is constantly changing, if you are skipping updates your anti-virus is essentially in the dark, and may not be aware of the latest threats.
- Browsers should always be updated, again if possible set them to auto update, but avoid skipping or delaying an update, cyber threats emerge quickly and updates help you stay protected.
- Your phone OS and app software- lack of updates can leave these open to attacks via unpatched vulnerabilities as well, so make sure you are updating these. Make sure you apply updates as they are released to all devices and applications, better yet set things to auto update.
When are updates released? Patch Tuesday, when Microsoft and other vendors release updates, usually falls on the second Tuesday of the month. Updates can also be released out of band, especially if the threat is new and severe. Keep an eye out for updates and make sure you or if you are a business, your IT staff, are applying them in a timely fashion!
Keeping your devices and software up to date is one of the easiest ways to secure your home or business networks from cyber threats. Patch, patch, patch your stuff to help stay secure.
Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.