Mark Dudok, a PFE colleague of mine in sunny Canberra, writes about security patches, and why it’s important to keep them front of mind and not get complacent:
Now let's get into your responsibilities as an administrator. If you were a mechanic, you probably wouldn’t be reading this blog. You would likely be busy ensuring that the car you are servicing is going to keep the occupant safe. This mentality carries merit in the IT industry as well. Sure, If you forget to apply a security patch your customer might not die as a result of your negligence. However, if you are an organisation that provides critical health care, or you are support for deployed soldiers, an outage to a critical system as the result of an exploited known vulnerability may result in uncomfortable circumstances.
If it is a Government agency you work for, you might also be having a conversation with a person in dark glasses and a suit asking why you didn’t feel the need to be compliant with the Defence Signals Directorate (DSD) Information Security Manual (ISM).
Control 1144 in the DSD ISM is very specific: "Agencies must apply all critical security patches within two days."
Two days, huh? Well, I guess Windows Update and WSUS take care of the basics… so I’m covered, right?
Patching doesn’t stop with simply patching the Operating System - applications are just as important. Microsoft puts a lot of time and money into security research. Below is a snippet from the Microsoft Security Intelligence Report . You can see a significantly higher number of vulnerabilities when it comes to applications. So, make sure you are keeping on top of updates to your 3rd party applications as well.
Drat. (Also – always worth reading the SIR, even just the key findings)
If you’re even slightly concerned that your network may not be your own and that your organization might place some value on the information held within it, security updates are a part of basic systems hygiene, which raises the bar for attackers. Don’t be left at the whim of some disgruntled employee downloading a ‘sploit kit and owning you. Or worse.
Also, this bit:
This blog post is to help highlight your role as an administrator to help maintain security patch levels for your environment. An interesting topic, I know. But, keep reading - I will make it worth your while, I promise!
Is absolutely delivered on at the end of the post.
Posted by Tristan Kington, MSPFE Editor, still confused as to why there’s no ‘n’ in ‘restaurateur’.