When it comes to cyber security, patching your business’s software and devices is one of the most important defenses against ransomware attacks and other malicious intrusions.
According to Wikipedia, “In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.”
With the proliferation of operating systems and devices, business environments require a wider range of — and more frequent — software patching than ever before.
Tracking Vulnerabilities
Vulnerabilities are such a pervasive problem, that there is a centralized database that has many contributors.
Most known software and device (firmware) vulnerabilities are assigned a unique identifier called a CVE. CVE is an acronym for Common Vulnerabilities and Exposures.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) provides a searchable online database as well as an an RSS feed that “contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.”
There are also third parties, such as this Twitter user, who aggregate CVE information from multiple sources.
Until your internal IT department or your organization’s managed IT service provider has a mechanism in place to automatically patch most of your systems, you and your employees may need to be more vigilant than ever about manually installing security updates.
In some cases, computers and network devices have software that can no longer be updated — or no longer updated without extra costs. In those cases, You should consider replacing the software or the device.
Here is a list of software and devices that are subject to CVEs and that need periodic (and sometimes frequent) patching.
Desktop operating systems
Microsoft Windows, macOS, and Linux all need to be patched or updated on an ongoing basis.
Microsoft Windows has monthly security updates. Windows updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows, in addition to non-security updates.
Normally, desktop operating systems should be patched as soon as possible after a new patch is released. However, there are occasional exceptions. For example, some Windows patches have been known to cause more problems than they solved. The role of a managed IT service provider is to make this determination for their customers.
It’s worth mentioning that there are currently tens of millions of unpatched Windows 7 machines since Windows 7 users no longer get free security updates from Microsoft. According to Microsoft, “If you continue to use Windows 7 after support has ended, your PC will still work, but it will be more vulnerable to security risks and viruses.”
It is currently possible for Windows 7 users to purchase Windows 7 Extended Security Updates (ESU).
Server operating systems
If you have in-house or colocated servers in your business, their operating systems are subject to vulnerabilities.
In fact, desktop operating systems such as Windows 10 are often compromised by an intruder in order to get at a Windows server OS, where ransomware can be executed.
Windows Server 2008 is in a similar position to Windows 7. Server 2008 is past end-of-life, but ESUs can be purchased for the time being.
Mobile operating systems
Whether a mobile device is company-owned or it is a BYOD, the operating system should be updated as soon as security patches and new versions are available.
Apple patched 22 vulnerabilities with the release of iOS 15 and iPadOS 15.
When an iPhone or Android device is too old to be updated to the current release, you should consider replacing the device.
Desktop software applications
Desktop applications are not immune from security issues.
In fact, popular software such as Microsoft Office, Adobe Flash, and Apple’s QuickTime Player have all been known to have vulnerabilities.
Physical server software
Applications such as Microsoft Sharepoint Server and Microsoft Exchange Server are also subject to vulnerabilities.
Virtual server software
When it comes to potential vulnerabilities, virtual servers are no different from physical servers.
Software patches should be applied to virtual server software soon as possible after they have been released and vetted by your IT department or managed IT service provider.
Mobile apps
Older software applications that do not get updated regularly on mobile devices are targets for software security issues.
Users should not ignore the update-notifier on their mobile devices.
Antivirus and anti-malware software
In addition to applying patches for business productivity software on your computer, you should regularly update antivirus software.
Most anti-malware software is updated automatically. However, it is possible that the software may not update itself if the software manufacturer’s servers are offline.
Web browsers
Most of today’s web browsers are self patching through automatic updates.
Chrome, for example, automatically downloads updates. But to apply updates, users need to click the Update button in the top right of the browser and then relaunch the browser. Brave browser updates work the same way as Chrome — since Brave is Chromium-based.
Chromebook users should be aware of the fact that every Chromebook ships with an Auto Update Expiration (AUE) date. As of the AUE date, these devices will no longer receive software updates from Google.
Internet Explorer has historically had the most vulnerabilities of any browser. The use of IE should be avoided, if possible.
Browser extensions
A number of browser extensions have had vulnerabilities.
Google had to remove a Chrome extension called The Great Suspender, which was used by about 2 million people. This was due to reports that the extension had been compromised and that it may have installed malicious code & tracking software on users’ systems.
————— While You’re Here ↓ —————
Simple & Affordable Cyber Security
Get a Quote
————— Article Continues ↓ —————
Cloud software
Cloud software is an area in which patching is not necessarily in control of an individual business. Since many cloud apps are multi-tenant, most cloud vendors patch all customer accounts within a short time window.
Salesforce, a popular cloud CRM vendor, provides proactive security release updates, in order to defend against potential vulnerabilities before they can happen. Each customer can choose to apply these before the date at which they are automatically applied.
Remote access devices
This type of hardware device may need periodic patching.
For example, one of SonicWall’s Secure Mobile Access devices had a critical CVE with its 10.x build version.
Firewalls
Firewalls factor into network security and need to be frequently patched.
Cisco and Palo Alto Networks software provide updates to their security software every 15 minutes. Cyberoam’s software is updated every night.
Intrusion protection devices
The software embedded in your network devices requires updates each time the vendor releases new software patches.
For example, Cisco’s IPS (Intrusion Prevention System) software needs to be patched regularly.
Automatic patching software
Ironically, some of the software that is designed to patch software has itself had vulnerabilities. Kaseya’s VSA had a notoriously exploited vulnerability in 2021. This affected as many as 1,500 SMBs. Solar Winds customers were also victims of a notorious attack.
Make sure the patching software that is used within your business has a clean record.
Conclusion
Regularly patching software and devices is one of a business’s best defenses against exploits by hackers and ransomware gangs.
All businesses, no matter what size, should have a patching strategy and plan in place. This should include automating as much of the patching process as possible.
