Why is it important to install updates?
You sometimes hear the mantra “Never change a winning team”, followed by: “it works, so I’ll stay off it”. Is that a smart move?
(TL;DR at the bottom)
Operating systems (such as Microsoft Windows) are complicated pieces of software that ensure that we can do anything with our computer at all. This software is developed by a team of people, based on years of experience. And it’s in human nature: “to miss is human”. As a result, errors creep into this software inadvertently.
So that’s not a bad thing, is it? If I don’t use that part where there is an error, then there is nothing wrong, is there?
It is true that you do not suffer from this in your daily activity. And if your computer isn’t connected to any network and you’re the only one using it, then you’re right about something. But today a computer is always connected to other computers and usually also to the internet. And that’s where the danger lies…
Cyber criminals try to get hold of data that is on your computer, or that your computer has access to, for various reasons. They try to exploit those flaws that are in the operating system.
Operating System Manufacturer
Some errors are discovered by the maker of the operating system (eg Microsoft) and solved with an update before the outside world notices.
Other vulnerabilities are discovered by security researchers and reported silently to the creator of the operating system. A term is usually also agreed upon by when the security researchers will make their findings public. This time allows the manufacturer to fix the error by means of an update. It is important that this time is not too long for several reasons:
- if the security researchers were able to find this flaw, then a cyber criminal might find it too. As long as there is no update for it, the flaw remains a vulnerability and those cyber criminals could abuse it to get to your data;
- the security researchers also want to show what they are worth within their research world and make known what they have found. That research can then be used by other researchers to build on and thus ensure continuous progress.
The most annoying thing is when cyber criminals discover an error before the manufacturer (eg Microsoft) or researchers discover it. After all, this ensures that the problem itself is known by almost no one, and consequently that there is no solution for that problem. In this situation, the cyber criminals have free rein to exploit the flaw. In the jargon this is called “Zero-day” or “0-day”: 0 days have passed between the detection of the error and the resolution (because the error is unknown, so there is no solution).
The usefulness of installing updates in time
If you install this update shortly after the manufacturer has made the update available, the window of opportunity for the cyber criminals will be much shorter. This drastically reduces the chance that your company will become a victim of the error found.
On the other hand, if you wait with installing the updates, you give the cyber criminals a lot more time to exploit the flaw at your company and get rid of your data, making it useless by encrypting it, …
Urgency of updates
The so-called operating system flaw referred to above is termed a vulnerability in the jargon. Such vulnerabilities are not limited to the operating system, but occur at least as much in software such as database servers, mail servers, file servers, print servers, web servers, etc. Each known vulnerability is given a CVE code. CVE here stands for Common Vulnerability Enumeration. A score is calculated for each CVE according to the CVSS: the Common Vulnerability Scoring System.
This CVSS score takes into account how easy it is to abuse the vulnerability (exploitability) and how big the impact is when that happens. The closer the score to 10, the more serious!
In other words, it is very important to:
- install updates for high CVSS-scored vulnerabilities as soon as possible;
- install updates for other vulnerabilities in a timely manner;
- have a business process through which you do not implement the updates ad hoc, but systematically;
- take into account a possible roll-back when installing an update does not go as desired.
ISO27001 speaks in several places about installing updates, including in 12.5, 12.6, 14.2, … That also illustrates the importance of this.
IEC 62443 has a completely separate document devoted to Patch Management in the IACS environment: the Technical Report 62443-2-3
Manufacturers release updates for their software and/or operating systems. When you wait with installing them opens the proverbial door for cyber criminals to exploit the bugs these updates fix. That is why it is important to install the updates in a timely and systematic manner.
Ask advice from specialists
Spinae is ready to advise and support you in this. Do you have questions or concerns about IT security or OT security? Contact our experts, they will be happy to assist you.