Contents:
After every major data breach or ransomware attack happens, you probably hear at least someone saying: “If they had applied software updates in time, maybe these attacks could have been prevented or avoided”. When it comes to closing vulnerabilities found in computers and systems, the go-to solution is always patching the software, but how many of us really apply updates in a timely manner? Many cybersecurity specialists and practitioners, ourselves included, keep focusing on raising awareness on this topic and urging both Internet users and organizations to update (or patch) their software as soon as they are available.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
To protect against the insidious threat of malicious updates, it might be tempting to immediately disable these mechanisms on your computers and smartphones. But that would be a terrible idea, one that would expose you to far more harm than it would protect against. In fact, now would be a fine time to check your devices and make sure the automatic system update features are turned on and running.
New research mentions the security risks caused by unpatched vulnerabilities, by stating that “55% of all programs installed on personal computers running Windows are outdated”. The same thing applies to the mobile industry where one of the most concerning security threats is related to outdated software. The most frequent ones are found on the Android operating system, which is a targeted OS by cybercriminals. But Google is investing all efforts in improving the ecosystem with its Android Security Improvement Program with the main goal to help Android developers built and release apps without known vulnerabilities. The company already helped more than 300,000 developers fix more than 1 million apps on Google Play and will probably continue doing it. Today, any software is running, it is exposed to attacks and hackers don’t miss any opportunity to find security holes and exploit them.
Why it is important to apply software updates
Talking about software updates is like talking about whether you should go see a doctor or not. Some find it like being a precautionary measure, others just ignore it. Same goes with applying available updates: they are not only important for our online safety but software updates are hardly necessary. To simply put it, applying available updates for operating systems and applications such as plugins, browsers, desktop apps (which include both security and feature patches) means fixing and improving the software you are currently using. Some of you may affirm that after finishing the updating process, there have been side (negative) effects, and something didn’t work as it did before, some features just vanished, or the interface of the app/software is different. And you need hours to figure out how it works or how to adapt, I understand. Yes, we all find updates annoying sometimes, just by popping up when we try to work on a project, or watch a movie. But it doesn’t mean we don’t have to do it. We have to make patching a top priority! Plus, you can always have the option to turn on the “automatic updates” feature (if available) or use a specialized software updater to handle it automatically and silently, by saving time and energy. Applying software updates is one of the most proactive things we can do to seriously enhance online protection and improve security. Also, we do it so we don’t get hacked and see our valuable data in the hands of cybercriminals. The faster we update it, the better it is. While doing an expert roundup with cybersecurity professionals to get a more in-depth opinion on the topic of applying software updates, we found out that all of them advocate for installing security updates as early and regularly as possible. If you read carefully what these security experts have to say about software patching, next time you’ll not ignore or postpone another update. [Tweet “Check out these myths about #softwareupdates that you need to know. “] Also, it is important to apply patches because:
- They address a specific and critical vulnerability that can be fixed and closed in a timely manner before malicious actors can exploit it;
- It is a proactive security measure that lower the risks for both home users and companies to be exposed to cyber-attacks in which cybercriminals target their sensitive data;
- They improve the operating system and make the app more stable, and also enhance the overall security posture;
- Your data is more secure – Probably the most important docs, photos, or personal information are stored on the devices you use daily. They could get easier in the hands of cybercriminals who encrypt data and block access to it. Applying patches help keep malicious actors at bay;
- They bring the latest features and improve the existing ones – Software updates not only close security vulnerabilities but also improve your OS or app, by adding the newest features and making your device work smoothly.
5 frequent software updates myths you probably hear (but you need to forget about)
Let’s have a look at these myths and analyze them to better understand why action and proactivity are vital when it comes to keeping your software up to date.
Myth#1 – “This is not a priority, I can just skip the updating part for another time”
Probably one of the most harmful thinking you need to forget about. And that “another time” decision may be too late if you want to better secure your digital assets. Security specialists advise to make patching a priority and apply updates within the first hours of becoming available. Not tomorrow, not in one week or month. As soon as possible, because the speed of patching will make a difference. If you spend more than one week (or even day) in getting up to date with your software, it might be late. Cybercriminals operate fast and find innovative ways to exploits software vulnerabilities. That’s why we have to keep applying these updates and begin with the most important service/app we’re using. However, before prioritizing we first need to acknowledge what are the security risks and consequences and how big the impact is for your online safety. It should not be only a priority, but basic and standard cyber hygiene for everyone.
Myth#2 – “If I focus on apps that carry the most prevalent vulnerabilities I am safer”
Here’s another myth we recommend letting go and try seeing things from a different perspective. We strongly recommend applying all available updates for all apps that you’ve installed and used. Focusing only on those apps with a higher risk doesn’t make you safer. Every app will ask users for regular updates, and they’ll (probably) nag you with notifications until you patch it. As annoying as it may be, keeping your installed apps up to date is still important for security reasons. You can also look for the “settings” section of your apps and select the option to receive apps update automatically when a new version is available. Nevertheless, it is important to understand that installing updates will also make a difference in terms of performance (bringing new features), not only security-wise (bug fixing). At a business level, many organizations decide to focus on patching a specific pool of software products and apps which are considered to be among the most popular when it comes to vulnerabilities. This is not entirely true. A Fortinet report concluded that “90% of organizations the company protects have experienced cyber-attacks during which intruders tried to exploit vulnerabilities that were three years or older. In addition, 60% of organizations were attacked with exploits ten years or older.” It is easier for cybercriminals to find a working exploit in one vulnerability and launch an attack within a targeted organization.
Myth#3 – “If I apply only software updates for Microsoft apps is enough”
Here is another common myth that we’ve been hearing and reading about. If you decide to patch only the Microsoft OS and applications, it is not enough to keep your system protected from advanced forms of malware and hackers’ attempts to gain access to sensitive data. Don’t forget about the third-party applications, such as Adobe Flash or Firefox, have become an attractive and major attack vectors for hackers. Researchers at Recorded Future observed that Adobe Flash vulnerability still ranked as “the second most used exploit by hacking groups.” If you want to dive deeper and know more Flash vulnerabilities, how to disable Adobe Flash and how you can avoid getting your data compromised, read our detailed article about it. Here’s also some insights from Microsoft MVP Brien Posey explaining how to get third-party patches deployed.
Myth #4 – “Cybercriminals usually target and get in through perimeters, so it’s better to focus on keeping them up to date”
Rather than focusing on securing the perimeter, we encourage users and companies to have a broader security mindset and take into consideration all risks that could lead to malicious actors harvesting data and causing business disruption. For those who don’t know, perimeter security means using traditional solutions such as firewalls or antivirus to build defenses and protect a defined boundary (system) from unauthorized physical intrusions. Patching perimeters are just one part of securing your most valuable digital assets, but it’s not enough. According to a 2018 report, 15 hours it took for most of the cybercriminals to breach a target system, identify critical data and exfiltrate it. Here’s another point of view highlighting the idea of thinking beyond the security perimeter:
Focusing on a strong perimeter to keep the bad guys out seemed to work well enough for a while. But now that attackers routinely reuse credentials or low-tech phishing techniques to enter, and now that data is no longer kept within a perimeter, this outside-in approach is no longer practical.
Security specialists consider perimeter security just basic hygiene and the first line of defense, but we need to adopt a multi-layered security approach to enhance online protection. Mikko Hypponen, one of the most known cybersecurity experts and Chief Officer at F-Secure recently underlines the importance of patching:
Patch your systems, use the automatic updates. The updates will make you safer. And here it was the update which burned them. Nobody expects to get hacked through automatic updates.
Myth#5 – “If I patch my software once, I can rest assured that my computer is secure”
Patching your operating systems and apps is vital to fix vulnerabilities and stop hackers from exploiting them. But it’s not enough to do it just once to protect your computer. The best practice is that you need to patch constantly, as soon as new updates are available. If we talk about critical vulnerabilities that have published exploit code, users and companies are urged to address patches immediately. In terms of patching frequency, it’s worth mentioning that each OS vendor and application vendor releases updates at a specific frequency (see Microsoft Patch Tuesday) or in special cases, for newly discovered and critical vulnerabilities. As we already said, the speed and timing of patching can be crucial, because if you don’t apply updates after they’ve been released, you leave an open window for cybercriminals to exploit them and launch new attacks.
Final thoughts
Software updates myths will probably continue to exist, as long as we look for easy solutions and basic answers to our most common security fears. But we need to keep in mind that software patching remains an important issue to address if we want to maintain a high level of security. And, at the same time, a challenge for both users and companies. This is why it’s essential to leverage the key advantages of patching as a proactive security measure and urge everyone to cultivate a healthy and constant habit of keeping their software up to date. If they want to be less prone to cyber-attacks, home users need to adopt the proactivity mindset and keep their software updated. And, when (if) possible, to enable automatic updates or search for alternatives that provide automatic updates. At a corporate level, it is essential to spread a security culture within an organization and implement basic patch management practices that will help them better control and protect valuable data. What’s your opinion on this topic? Do you believe in these myths and how much attention do you pay to software updates? We are curious to know your thoughts, so feel free to share them in a comment below. And remember! Next time you see the “we’ve got an update for you” message displayed on your computer screen, make sure you apply it immediately, not another time. Stay safe!