In our past posts, we’ve discussed the importance of educating your employees on proper cybersecurity protocols, but there is one aspect of user behavior that can be easily overlooked, yet is critically important: updating and installing patches.
What is a patch?
A patch is a piece of software that is designed to update a computer program or its supporting data. Patches can be updated manually or automatically. Patches are sometimes aimed at improving the user experience, adding new features, eliminating known bugs, or fixing known security vulnerabilities. The latter of these intentions is the main focus of this article.
You may wonder why these ceaseless updates and patches are constantly popping up on your computer? Are they intent on driving you crazy? No, but some of us can sympathize with a typical workday where you’re typing a report, researching on the web, or balancing an account when suddenly Windows goes rogue and installs an update that takes down your system for an indeterminate amount of time. Work productivity screeches to a halt and you are left staring at the update screen and spinning wheel. While this frustration may tempt you to push your computer into the trash can, we strongly advise that you do not. Take this time to grab a second cup of coffee, do a lap around the office, or go outside (which can invigorate your creativity) and let your computer do what it needs to do. It is a lesson in patience and saving your work, but we can assure you that these updates are absolutely necessary. It should also be noted that these patches needn’t be inconvenient. A great IT provider will have these updates scheduled to run during non-business hours every day.
Think of a leak in your roof as a security vulnerability in your OS. If you knew about the leak, would you wait until the next storm to mend it or go ahead and fix it? Most of us would fix it, especially if the roofing company is banging on the door telling you about the leak and offering to fix it for free! Unfortunately, the leaky roof has an immediate negative feedback when the water starts dripping on your head while computer security issues can go unseen and forgotten even while critical data is leaking out.
Real Failures to Patch
According to CSO, most exploits involve vulnerabilities that were patched more than a year ago. Another figure suggests that 80% of breaches are caused by poor patch management.
Remember that WannaCry attack back in May 2017? That half-baked ransomware attack infected over 400,000 Windows PCs and caused an estimated $4 billion in losses and damages. It spread like wildfire across PCs, particularly those running Windows 7 with port 445 open. This was not a sophisticated attack nor was it unique or creative in its approach. The SMB protocol that WannaCry exploited had been publicly leaked by Shadow Brokers a month earlier. You shouldn’t be surprised that the patch for the exploited threat had been available for 59 days before the attack. Users that faithfully patched and updated their Windows 7 OS were saved the frustration that those who did not experienced in the days and months after the attack.
In a more recent attack on Equifax, it has come to the surface that Apache Struts, a tool to create elegant Java web applications, had a known security flaw. This was disclosed by US-CERT in March, but Equifax failed to update and patch the tool, causing the business irrefutable damage to their public image and exposing the identity information of millions of consumers. While Equifax’s inaction was grossly negligent, they are not alone in their failure to patch.
Who Isn’t Patching?
Home PC users are more likely to be computer illiterate or lackadaisical in their security focus. Home users usually lack an IT staff to support their computers, too. While home PCs compose a significant portion of the unpatched population, they are not solely to blame. PCs with pirated operating systems, many are overseas, typically do not get patched because flying under the radar is important to these users. Many average users get frustrated and hit “Remind me Later” when these patch reminders pop up. Lastly, some users are rightfully suspicious that an update to the OS or one program may cause another program to fail. While this is not unheard of, usually a follow-up patch can resolve these issues quickly when they do arise.
Mac vs. PC
Quickly, let’s tackle the elephant in the room. Apple’s OS doesn’t need as much maintenance and TLC as Windows PCs. Macs are more straightforward and have fewer security issues. However, Mac users are no more or less likely to fall victim to phishing schemes and other user behavior – weak passwords, not logging out, etc. – that invites hackers into the system. So, are Macs invincible? No. The era of “Macs don’t get viruses” has been long gone, and while the meat of this article is focused on Windows, security threats and patches come from every technology and tool and no user is immune to the threat of attack.
So next time you are given the option to patch, do it! Save your work, click “Update Now” and restart your system. Want to be even more proactive with your patches? Just go to Windows Updates under System settings and Check for Updates (In Windows 10 you need only ask Cortana to Check for Updates). You can do this before you go home for the day and set your computer to restart or shut down after installing a patch.
The small amount of time it takes to do this is well worth it!