15+ Experts Explain Why Software Patching is Key for Your Online Security

You’ve probably noticed this too at least once in your life: people who are passionate about their work have a way of talking about it that transmits genuine enthusiasm. When talking to these people, you get a deeper, more informed perspective on the topic under discussion. That’s exactly the feeling I get every time we do an expert roundup here, on the blog. I have the amazing opportunity to learn from seasoned security experts and pick their brain for advice we can all use. So far, we’ve gathered invaluable tips and tricks you can apply to improve your online safety, and we’ve also singled out the biggest mistakes that users make about their Internet security. So I felt it was time to join forces and tackle an issue often overlooked by most of the 3,3 billion Internet users (source) out there: software patching. In simpler words, software patching means applying available updates for operating systems and applications such as browsers, plugins, desktop apps, etc. These updates include both security and feature patches, and are meant to fix or improve the software you use. Yes, we all find updates annoying sometimes (ok, most of the time), but we don’t like going to the doctor either. That doesn’t mean we don’t have to do it. Software patching is one those proactive things we can do to seriously enhance our security online. It’s time you read what 15 top cyber security experts from Bitdefender, ESET, RAPID7, Avira, Sticky Password and more have to say about software updates. If their down-to-earth advice won’t persuade you to make updates part of your digital routine, probably nothing will. (And we have a knack on insisting you take care of your data online, as you may know. So the gentle nagging on this topic may continue. 🙂 ) Navigate to your favorite set of answers:

• ANDREI PETRUS, Avira
• BRIAN DONOHUE, Cyber4Sight
• DAN GOODIN, Ars Technica
• DAVE PISCITELLO, ICANN
• David HARLEY, ESET
• DUNCAN MCALYNN, Ivanti
• JOE SHENOUDA, Cyber Consult
• JOHN DUNN, Techworld
• KEVIN TOWNSEND, ITSecurity.co.uk
• LIVIU ARSENE, Bitdefender
• MATTHEW PASCUCCI, Front Line Sentinel
• MORTEN KJAERSGAARD, Heimdal Security
• PATRICK NUTTALL, London Digital Security Centre
• PAVEL KRČMA, Sticky Password
• PIERLUIGI PAGANINI, Security Affairs
• RAJ SAMANI, Intel Security
• TOD BEARDSLEY, RAPID7

 

How to Use Software Patching to Improve Your Internet Security, According to Experts

 

ANDREI PETRUS, Avira

Product Manager at Avira  

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

In the not-so-far modern history of computers, having an antivirus was somehow sufficient in order to know your data safe and protected. That was mainly because your information was confined to the case of your computer, with 0 contact to the outer world (discrete storage media disregarded). As Internet connection became a ubiquitous commodity, its adoption grew exponentially and the paradigm shifted massively from ‘data at rest’ to ‘data in motion’. Security had to adapt too to address data leakages or breaches that might happen out of bad software quality OR thoroughly architected attacks. Therefore, any modern cybersecurity strategy should include a healthy policy that enforces low time-to-patch for all the software installed on any system. As for prioritization, when we talk security, everything is priority 0.

How would you explain the importance of patching so your grandma can understand it?

An information system is like a physical home for your digital assets: documents, pictures, bookmarks, banking information, etc. Each application that you install on your computer is an addition to the main structure that connects through an open bridge to the main house, in order to benefit from the utilities infrastructure. As you build up more adjacent structures with direct connection to the core building, your overall premise security level is defined by the weakest of the constructions, as that can be used as an entry point to the core. If one day, a legitimate builder of a secondary building informs you they realized they left behind an uncovered hole in one of the exterior walls, that’s what we call a ‘vulnerability’ that endangers the entire system (or premise). If they offered to come and fix it, that would be a patch delivered with an update.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

The short, simple, and logical answer to this is that software is a direct result of humans’ work. And like any other human conception, it’s sometimes flawed by unintended mistakes, which, unfortunately, open windows of opportunity to the cyber crooks. The bright side is that you can trim back the negative effects by having a good security strategy in place – see below how.

What is your main practical advice for users regarding patching?

Download computer programs directly from their vendor’s website or from official app stores, turn on automatic updates for your operating system and for the apps that have this capacity, and make use of specialized solutions that automatically keeps all your other applications updated. Also very important, make sure that you are running an Internet security solution on your computer.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

In a corporate environment, I advocate firmly for having IT-managed devices, backed by a competent IT infrastructure team that employs software patching as a frequent practice. BYOD (Bring Your Own Device) cannot and shouldn’t be dismissed, but networks that are servicing guests or employees’ free roaming devices should be isolated from the main network, as any vulnerability on these devices – including unpatched software – opens a wide door to attack the main company network.

BRIAN DONOHUE, Cyber4Sight

Technology Journalist Covering Network Security @ Cyber4Sight (Booz Allen Hamilton)

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

My experience with implementing security update and patch prioritization regimes is admittedly limited, given my background as a journalist and network security analyst. However, in covering Internet security and providing support to multiple security operation centers, I end up reading, writing, and speaking about security bulletins and patch prioritization fairly frequently. As such, I tend to yield to the expertise of individuals with a better niche understanding of patching processes—such as Qualys’ CTO Wolfgang Kandek. One of the more interesting patching insights that I gained from a recent interview with Kandek is that he is increasingly prioritizing Microsoft Silverlight vulnerabilities. This change is apparently in part a reaction to employees accessing Netflix, which relies on Silverlight to stream video content, on their work machines. In this way, patch priorities are changing as companies exchange employee flexibility and more lenient device policies for constant availability and increased travel.

How would you explain the importance of patching so your grandma can understand it?

Patching software is like maintaining your car: It will still run without maintenance, but driving becomes more and more dangerous the longer you go on without a check-up.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

I think it is something of a mischaracterization to describe software as “so vulnerable.” Even Dan Greer and Bruce Schneier, two of the industry’s most venerated experts, have wondered about whether vulnerabilities are sparsely or densely populated in software. Ultimately, there is so much software being developed by so many people for such a wide array of purposes that vulnerabilities and exploits are inevitable. Further, there is so much valuable data transiting software that exploitations of vulnerabilities are equally inevitable. Pragmatically speaking, there are only really two things that users can do about vulnerable software: stop using the software, which is, in many cases, implausible or keep using the software and install security updates as early and as often as possible.

What is your main, practical advice for users regarding patching?

Install security updates as early and as often as possible, and try to avoid using any software that is no longer supported and no longer receives security updates.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I can’t recommend any tools for users in particular. Frankly, not including Android, for which the patch process is famously convoluted, the major operating system makers are very aware of the importance of patching and they make it very easy to install updates. For Windows, nearly all users should be enabling their machines to install updates automatically. For iOS and OS X users, Apple’s update notifications, both for apps and their operating systems, are incredibly conspicuous. In other words, on most platforms, the vendors are providing plenty of notification that updates are available, the missing component appears to be user-awareness about the need for installing updates.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Nearly all corporations and institutions would benefit from better educating their employees—whether they are interns or executives—about the risks posed by security vulnerabilities and the critical importance of prompt and thorough patching. Under even the best patching regimes, some employees will have some software that they have to update on their own. Education is a key tactic for ensuring that employees known that they need to install updates as well as when and how to do so. Broadly speaking, I believe that users would be better about installing updates—and adhering to all kinds of security policies—if they only understood the risks that emerge out of inaction.

DAN GOODIN, Ars Technica

Security Editor at Ars Technica 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

I try to install updates within 24 hours of becoming available.

How would you explain the importance of patching so your grandma can understand it?

It’s really, really important to install so that you don’t get hacked.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

All software is vulnerable. Your best chance of not getting hacked is to install updates ASAP.

What is your main, practical advice for users regarding patching?

Patch, patch, patch.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I don’t use tools.

DAVE PISCITELLO, ICANN

Vice President, Security and ICT Coordination @ ICANN 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Maintaining patch currency, in concert with secure configuration management, is arguably THE most important security practice an organization should perform. What else can layer one in your multi-layered approach be but to identify and mitigate vulnerabilities in your OS and application set? Properly patched systems also provide the last line of defense for inadequate or incorrectly configured security systems you deploy as additional layers of defense.

How would you explain the importance of patching so your grandma can understand it?

I’d explain that patching is like routine maintenance for her automobile. Replacing known-to-be-exploitable software components is like replacing worn parts.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Several reasons. Most commonly used operating systems and a fair number of the most popular applications antedate the practice of secure code review so there are literally millions of lines of code that have not been reviewed for flawed logic, memory management or other commonly exploited programming errors. Secure code review is time consuming, a cost burden to software manufacturers, adds development time, draws budget away from innovation/features development, and delays delivery to market. But the unintended cost of not reviewing code is considerable in real costs such as patch and update delivery as well as intangible costs such as harm to brand. Today, many people know certain software companies as well for their reputation as having exploitable code as they do for the products they offer.

What is your main, practical advice for users regarding patching?

For average users, enable automated patching for your OS. There are also several free and for fee software that you can purchase that will automate patching for applications that you use. These are available for many operating systems.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I wrote about this a while ago, see How to keep ALL your software patched and secure, but both products I reviewed are still available. In the post, I mention that “I’ve had some success using Appfresh for my Mac, and Secunia Personal Software Inspector (PSI) for my Windows XP/Vista/7 PCs.”

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Patch management and endpoint security solutions can be very effective. Look at KBOX KACE (DELL), WSUS (MSFT), SUS (Siemens) and similar software update services or appliances.

DAVID HARLEY, ESET

Senior Research Fellow at ESET North AmericaAs an expert with a longstanding, rich background in cyber security, David had a lot of relevant advice to share on software patching. So his contribution to this expert roundup evolved into a fully-fledged article on the ESET blog – We Live Security – where he expanded upon the subject of Vulnerabilities, exploits and patches. We’re reproducing parts of it below, to give you a taste of what you can learn by reading the entire set of recommendations shared by David, which we highly recommend you go through attentively.

How would you explain the importance of patching so your grandma can understand it?

Computers are more reliable than we sometimes give them credit for. Programs, however, are written by people, and people make mistakes. The more complex and multi-functional a program is, the more certain it is that it contains programming errors. Some of these errors are noticeable, some are inconvenient but not necessarily critical, some may be dramatic in their effects (but these tend to be fixed very quickly). Many, on the other hand, are trivial and may not even be noticed by most or any users of the software under normal circumstances, so could be said hardly to matter at all. But some, while they may be as good as invisible as far as the average computer user is concerned, but matter very much indeed. Not because of how they affect (or don’t affect) the normal running of the system or application, but because potentially, they expose the user and his equipment to the risk of criminal intrusion. There are many reasons why a criminal may want to gain access to your system and data. They may simply want to cause damage, but it’s more likely that their motivation is financial, and there are many ways in which they can make money from illegally accessing systems. Of course, people who program legitimate applications don’t (usually) deliberately introduce flaws into the code that will allow criminals to exploit them. But quite a small coding slip can introduce a ‘hole’ through that allow access to areas – especially areas of computer memory – that they can use to issue inappropriate instructions to the computer that may have nothing to do with the application that contains the hole. Unfortunately, there are lots of people looking specifically for this sort of opening, and they don’t all wear white hats.

What is your main practical advice for users regarding patching?

Well, there are reasons for being cautious about patching. There is a reason that large organizations sometimes have phased update mechanisms that start with testing on machines that aren’t being used for critical business processes: sometimes a patch goes wrong for some people out in the real world, and occasionally the results are catastrophic. Most home users don’t have the resources or expertise to implement an effective formal change management process, but they can at least take precautions so that even a disaster that results in permanent damage to or loss of a system – or even more than one system – doesn’t mean that they lose all access to the data that was installed on that system. That doesn’t just mean keeping data backed up – vital though that is* – but also ensuring that they’ll be able to reinstall all the applications needed to access that data in whatever ways might be needed, if necessary on a completely new system. After all, while catastrophic and permanent data loss due to a misfiring patch is uncommon, taking those same backup precautions is a necessary defence against security problems that are far more common – encryption of data by ransomware, for example. Remember also that one backup is better than none, but more than one (preferably stored in more than one locality) is much better than keeping all your eggs in a single basket.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Patch/update management can be a serious drain on an organization’s resources, though there are services to which the exercise can be outsourced. (I’m afraid I haven’t evaluated any of them myself recently.) The problem is compounded when:

1. The organization is served by many disparate systems without much standardization of hardware, operating systems, and applications.
2. Even more so where there is heavy use of BYOD (Bring Your Own Device), unless the range and functionality of devices is restricted and supervised (i.e. Choose Your Own Device from a range of approved devices and apps).
3. Staff are not made aware of their responsibilities for security (including the maintenance and proper use of systems and services) under a formal and well-publicized policy as part of an ongoing educational initiative.

Attempting to mitigate these difficulties is likely to make it easier to apply an appropriate change management process. It helps to have an IT team (whether in-house or outsourced) including staff members who are aware of the need to track patching issues and resourced to take appropriate action when an issue arises that needs it, whether it’s ensuring that a patch is distributed where it’s needed or dealing (proactively where possible) with compatibility and other issues that may arise.

DUNCAN MCALYNN, Ivanti

Principal Security Engineer & Evangelist, Ivanti

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

For me, it’s not just a matter of elevating the patching priority level, it’s an absolute must! When you consider that no more than 16% of all known vulnerabilities over the past few years have been discovered in Microsoft platforms & applications, it becomes abundantly clear that while, we’ve really matured our Microsoft Patch Tuesday processes, most organizations are still struggling to get a grip on the other 84%! It’s the third-party applications and non-Microsoft operating systems that we need to steer our attention towards. It’s almost like we can’t see the forest for the trees and that needs to change. Yet, so much of what we’ve been seeing with these recent exploits could be solved with just keeping Adobe, Java and browsers up-to-date with the latest security updates.

How would you explain the importance of patching so your grandma can understand it?

Grandma, you wouldn’t leave your prized-jewelry on the front steps, would you? Would you leave the house without locking up? It’s the same thing, Grandma. You have to protect your valuables. In this case, you need to install these patches every month so your computer system isn’t sitting out there exposed. What would you do if you lost all those photos & videos of the great grandbabies? Come on now. I’ll help you get backed up and up-to-date with the patches.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Software, like everything else in life, isn’t perfect. Unfortunately, we can’t patch humans. Whether software developers or end users, they’re both flawed. We live in an imperfect world. Adjust, adapt and overcome!

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

For the home user, there are a couple decent solutions out there to help automate this never-ending routine. I personally recommend Heimdal™ Free or PatchMyPC. But, don’t overlook the software vendor’s auto-update features either.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

I wrote a full article on this very topic recently, which can be found here.

JOE SHENOUDA, Cyber Consult

Founder at Cyber Consult 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

It’s very much important to patch as to deploy other measures. But patching should be a standard procedure in every company. Use good management software to build on overview of all assets and its software and make sure you update them automatically through that software.

How would you explain the importance of patching so your grandma can understand it?

Grandma, if you don’t feed this thing patches, it will stop working. Patch it regularly.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Software was built once from scratch by the hands of software programmers. They might not be aware they are creating security holes while they are delivering what they should: a working software product with certain functionalities. Then we have the software developers who are more security conscious and may build secure software from the start, but what are they looking at? Do they find all their own errors? Most likely they need a second set of eyes to look at their work. They need to work closely with security testers to, as a mirror, reflect to them what’s left to patch and take care off.

What is your main, practical advice for users regarding patching?

Make sure you have software or management platforms to patch all your software automatically or semi-automatically through a decision making process, much like WSUS does in Microsoft environments with patches. It includes besides Microsoft and Windows updates also your browsers and basically any software that talks to the internet.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I can divide into private use tools for in particular Windows computers and tools you can use for the whole organization, maintaining every laptop from one console. There are many good ones, I advise to try several and test how they work. It all comes down to testing these solutions and see what works best in test runs.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Let’s say 100 of laptops suddenly have vulnerable version of a certain browser installed. You don’t want 100 of potential security breaches to happen on your network. They need to be simultaneously patched, that means *now*. The only way to do that is to take patching serious and make sure you control it with a management console of the solution of your choice.

JOHN DUNN, Techworld

Editor and co-founder at Techworld (IDG) 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

The first response to patching is to try and reduce the amount of software that needs it on PCs. That means ditching Java, Flash and other browser plug-in in particular.

How would you explain the importance of patching so your grandma can understand it?

You can’t explain it to your grandma. It’s like admitting the software industry is failing, over and over and frightens and appalls people.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Because it’s seen as cheaper to patch than spend longer developing software without as many flaws.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

Secunia’s PSI is good. But my personal recommendation is to buy something like a Chromebook as a home computer. It doesn’t get ‘patched’ as such because it runs barely any software and has extensions that have no privileges.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Some hard data on what’s being targeted over time and how quickly patches appear. Security industry doesn’t always pay attention to this.

KEVIN TOWNSEND, ITSecurity.co.uk

Freelance journalist & writer at ITSecurity.co.uk, with more than 10 years’ experience in writing about security issuesPatching is different for companies and home users. For companies I know of no easy solution: patch too quickly and you risk breaking other parts of your systems; patch too slowly and you become vulnerable to new exploits. Bad guys can treat the issue of a patch like a vulnerability disclosure — they can work out the vulnerability and develop an exploit as quick as you can patch. For home users it is important to patch as quickly as possible. The risk of breaking other parts of your computer software is negligible. To facilitate this process, you can choose software that provides automatic updating, and set your options to allow it. But even here there is a potential danger. As more and more software providers move to cloud-based offerings, patching becomes easier. The danger lies in the vendors’ temptation to monetize all opportunities. That means collecting and selling your personal information. Even where they don’t do that today, a future automatic update could start to do so — and you might never know anything about it. So long as there is software, there will always be vulnerabilities – so there will always be a need to patch. But eternal vigilance is just as important as immediate patching. Automatic patching is easier; but at the same time you don’t know what they’re doing to your computer.

LIVIU ARSENE, Bitdefender

Senior E-threat Analyst at Bitdefender 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Before you start patching, you first need to know a couple of things. First, assess your assets, then focus on the risks and estimate their potential impact on your business. If possible, try lowering the priority of some vulnerabilities by adding other security mechanism that reduce an attacker’s ability to exploit the flaws. Some companies also need to abide by some regulatory or compliance requirements, so this should be factored in as well.

How would you explain the importance of patching so your grandma can understand it?

If you’re securing your house using a 70 years old lock that anyone can break or pick through, a thief would have no trouble getting in and cleaning the place out. But if you have state-of-the-art locks and alarm systems, then a thief would have a really hard time at getting in.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

There is no such thing as software without flaws, especially when dealing with software that requires external dependencies and resources. It’s not a question of what software users can do about it – apart from constantly updating their applications to their latest versions – but what developers and testing engineers can do to minimize the risk of having easily exploitable code. You would be surprised to know how many applications there are out there that have been built from copy-pasting previously written code – sometimes vulnerable – into new applications.

What is your main, practical advice for users regarding patching?

Start updating as soon as patching becomes available. For companies, start considering virtual patching and Web Application Firewalls if for some reason – usually backwards compatibility and availability issues – you can’t deploy recent updates.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

Security software usually comes with built-in modules that constantly checks for new patches for commonly exploitable software, such as Adobe Reader or Java. While most applications usually have the auto-update feature enabled, users are encouraged to manually check for updates at least once a week for commonly used software.

MATTHEW PASCUCCI, Front Line Sentinel

Cyber Security Specialist & Privacy Advocate at Front Line Sentinel 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Patching, just like all things in security, is based off risk. What is the importance of the asset that’s unpatched and what is the risk in leaving it un-patched. Understanding these questions will guide your prioritization of patching within your enterprise.

How would you explain the importance of patching so your grandma can understand it?

Patching is adding additional features to your software that makes it either more secure or fixes problems in the program.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Software is vulnerable because it’s being pushed to market quickly without proper vulnerability testing, either statically or dynamically. Users of the software should have automatic updates for all software enabled and verify that it’s as up to date as possible.

What is your main, practical advice for users regarding patching?

Patch frequently. Patch everything.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

One of the biggest risks a user experiences in regards to patching is third party applications being vulnerable. The majority of third party applications (Java, Flash, etc.) are major attack vectors for hackers. Using tools like Secunia that alert and even patch third party applications assist with updating your applications to the latest and most secure versions.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

In a corporate environment you need to show the current state of your environment and relay these risks to management. This is done with a proper patch management program that will incorporate metrics (how quickly systems are being patched, which can’t be patched, etc.) and risk registers on the systems within you network.

MORTEN KJAERSGAARD, Heimdal Security

CEO at Heimdal Security 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Most of the industry will probably agree that patching is a key security component. Patching is probably also the primary cause of most penetration that happens to IT administrators’ environments. The industry numbers point to vulnerabilities as the root cause of infections, spanning from 65-92% of the compromise sources. Since almost everybody now knows that patching is crucial, I would focus more on the speed of patching, than the fact of actually doing it. Because, if you spend more than one week (or even one day) in getting up to date with your software, you might as well not update it at all. Cyber criminals manage to come up with and implement exploits in less than 24 hours, so that’s what we have to keep up with, as users.

How would you explain the importance of patching so your grandma can understand it?

Patching is like running on a flat tire: you just have to get it done or you won’t get very far.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Software is made to fit a range of requirements and it’s tested in a range of certain ways. The issue is that you can’t possibly imagine everything that will happen in future, so it consequently becomes vulnerable to attack. The users themselves can use less software if they want to be less vulnerable – or make sure what they use is up to date.

What is your main, practical advice for users regarding patching?

Automate what you can – and focus on the biggest problems first. Flash and Java are just two of the usual suspects.

How could users cultivate a healthy habit of keeping their software up to date?

Evaluating what software you really use and what you don’t need is an important step. This can help get rid of the clutter. Then, you can use a dedicated product to handle software updates for you, and this applies to both companies and home users. Automation can really help improve security and save time and energy in the process.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

At the risk of repeating the same information, I have to emphasize automation as a key aspect. Less time spent on software patching means that IT administrators can dedicate their energy and resources to fighting advanced cyber criminal tactics (which we all know are not scarce). From a simplistic, visual perspective, here’s how things could look like:

PATRICK NUTTALL, London Digital Security Centre

Head of the London Digital Security Centre 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

I generally separate cyber security challenges into two categories: technical and people. The technical side is, in many cases, easier to address as it is more under the direct control of IT departments. Embedding security culture into your organization is typically a lot more challenging and requires buy-in from everyone to be successful and sustainable. The most common technical mistakes which I see during security assessments would be patches not applied or misconfigurations (e.g. vendor default passwords not changed or extra, unnecessary services turned on). Patching is a free way to resolve potential technical vulnerabilities in your IT infrastructure and a schedule for regular patching plus a process for quickly applying critical patches should be a core part of your cyber security strategy. Unfortunately, we have worked with clients who were victims of external breaches because patches were not applied to vulnerabilities which were discovered in some cases 5+ years ago. Make sure that your IT systems have been configured properly and remember that they need to be inspected and maintained regularly just like any of your other corporate equipment. Think of it as your MOT! One key point that I would emphasize as part of patching strategy would be testing, particularly for larger organizations with custom developed applications. Patches and updates can have the unintended consequence of breaking other business applications, so where possible you should be conducting tests of critical applications on patched test systems before applying in your production environment with a rollback strategy if it doesn’t work. A major UK bank has suffered from complete IT system failure in some of their core financial systems due to patches or updates which were not applied properly.

How would you explain the importance of patching so your grandma can understand it?

I would explain that software is basically a set of instructions for a computer. When you are writing instructions, you cannot necessarily anticipate every single scenario which might be encountered or how a certain instruction/rule could be abused to do something bad. Patching corrects these mistakes in instructions and companies do this on a regular basis to ensure that their software works well and securely.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Software can be vulnerable for a variety of reasons, but typically it is due to mistakes on the part of developers. Software developers are starting to combat this by using better development methodologies (such as “secure by design”), peer review, or automated code scanning tools which can find common vulnerabilities (such as Veracode). The best thing that can be done from a user’s perspective is to apply patches and updates regularly, particularly if they are indicated as critical updates. They should also check configurations carefully to make sure that services or features which they don’t need are turned off, they can learn more about this by checking with their IT department, software documentation or potentially Google search.

What is your main, practical advice for users regarding patching?

Apply patches regularly! They are free and not only do they make your device more secure but they typically result in applications functioning better. Software companies put out patches for security reasons or to resolve bugs which result in applications crashing or features not working. The one caveat that I would put on this would be around corporate equipment, make sure to check with your IT system first that they have tested and it is okay to apply major updates (such as iOS 9.2 to 9.3, etc.). Sometimes major updates can result in other business applications not functioning properly so it is best to check before applying. This will typically not be as much of an issue for personal devices.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

For personal users, I would recommend that autoupdate for operating systems or applications is turned on. (This will happen by default with newer versions of Windows.) For corporate users, they should check with their IT department to see how updates are applied and whether they need to take action or if they are pushed out automatically. Many times they just need to click “apply update and restart” but they keep hitting ignore when prompted. It’s important to let these updates apply on a regular basis.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

This will depend on the IT infrastructure of the company. If they have a lot of custom developed software then they should consider getting source code scanned by an automated scanning tool, like Veracode. If they use primarily or exclusively commercially available software, then they should establish a schedule for regularly applying updates (e.g. weekly or monthly). As described above, I would encourage testing in their test environment before applying to production systems when possible and have a rollback plan in case it has unintended consequences to prevent business interruption.

PAVEL KRČMA, Sticky Password

Chief Technology Officer at Sticky Password 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Start with the most important/frequent service you use. So, for example, if your common daily tool is Office, patch it as soon as a patch is available. The point is to close the most probable hole first. Next on the list are operating system patches and browser patches – as browsers are becoming the most important part of any installation. Next are frequent “trouble-makers“, like Adobe Flash: the best patch for these is to uninstall them.

How would you explain the importance of patching so your grandma can understand it?

If you realize that the lock on your front door is broken, you would ask a repairman to fix it before someone misuses it. The same goes for patching – you have to patch a software bug before anyone misuses it. A question on every user’s mind: why is software so vulnerable? And what can software users do about it? I think that given the complexity of software today, there aren‘t many really critical vulnerabilities. It is simply not possible to build something with no bugs. But the problem comes up when a producer/developer does not focus enough on security, only on nice new features. What users can do is to push producers to focus more on security. Security isn’t flashy or really visible to users, but it is very important.

What is your main, practical advice for users regarding patching?

Let software producers do their job by enabling updates. Users typically postpone updates as long as possible and that is not good for the security of any product.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I don‘t think it‘s necessary to use any 3rd party tools for patch management. I‘ll just repeat my response from question 4: just keep your software updated. Set your settings to automatic: i.e. no action required in order to allow updates whenever necessary.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Corporate environments are quite different from home/SMB users. What I see is that most companies have adopted some security rules and corresponding processes – which is good. On the other hand, patch management for all software used within a company is not often part of this approach. It is not an easy task to monitor, test, apply and enforce efficient patch management, but there are tools which significantly help with this task. But patch management must be part of the overall security strategy first.

PIERLUIGI PAGANINI, Security Affairs

Founder of Security Affairs  

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

We have to think hardware and software components as living entities that evolve over the time. Patch management is crucial to ensure that these components will remain secure during their lifecycle and would interact with other systems without exposing themselves and end-users to cyber threats.

How would you explain the importance of patching so your grandma can understand it?

I always say that security is a concept “instantaneous.” What is secure in a specific moment may not be the next instant. For this reason, it is crucial to identify any potential vulnerability that emerges during the life of a computer system and apply the necessary patches.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Every software, also the one developed with a security by design approach, could be affected by a security flaw. Software are developed by humans, it’s natural that they could be affected by errors in coding. Another thing that we have to consider is that when developers design a software component would not have any idea of the possible evolution regarding the uses cases. This means that software components could interact with other systems in a way that was not known in the design phase, and sometimes this interaction could trigger specific flaws.

What is your main, practical advice for users regarding patching?

Pay close attention to patching activities. As for the patching management in critical environments, you should use a dedicated environment specially designed for evaluating the impact of any software patches. Finally, consider that the “time” factor is crucial to reduce the window of exposure to potential threats.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

It’s not a matter of tool, on the market there are several applications that could support system administrators in keeping software up to date. It is essential to spread a security culture within an organization, and patch management is a pillar of a proper security posture for any corporate environment.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Patch management must be included in the security policy and it is important to define a series of indicators to evaluate how the organizations apply the necessary fixes to the vulnerable applications over the time. Security awareness is another key instrument for companies, it is important to educate employees on the possible risks for the lack of an effective patch management process.

RAJ SAMANI, Intel Security

VP, Chief Technical Officer at Intel Security (EMEA) 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Patching is what I would regard as basic cyber hygiene. However, it is not a simple response, because any patching policy will have multiple considerations. For example, there are environments that will not be able to patch immediately and await formal confirmation from the vendor. Also, fitting things into the patching cycle could well disrupt availability and without appropriate testing have a knock on effect. We have seen a lot of malware exploit the gap between patches being made available, to when they are actually applied. Therefore, undertaking the appropriate due diligence in a timely fashion is imperative.

How would you explain the importance of patching so your grandma can understand it?

My grandma? Well that may be a little tough because she doesn’t speak English (and I don’t know the appropriate word for vulnerability). However, I would say for anyone else’s grandma, when we talk about security patching, it’s the process of improving the code on your system so that someone won’t be able to take advantage of it.

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

Our desire for more functionality and features means that the average number of lines of code in modern systems (note I will use the term system to cover everything from OS, apps, etc.) is increasing. For example, Windows NT 4.0 had somewhere around 10million lines of code, and about 10 years later Windows Vista that number is reported to be about 50 million. Well, there are industry statistics to suggest that there are x number of vulnerabilities per thousand lines of code. You do the math!

What is your main, practical advice for users regarding patching?

It’s really simple, make sure you do it in a timely fashion, but undertake the appropriate due diligence to ensure that application of patches do not have a negative impact on the systems you need to maintain availability.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

I don’t think there is a simple answer. However perhaps using the automatically update feature could be an appropriate response for certain systems.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

It’s a tough question because this should already be a part of the basic computing practices within all organizations. I think the first article I wrote was about the gap between availability of patches and malware exploiting unpatched systems being too wide. Look at many of the biggest malware attacks, they all could have simply been avoided by patching.

TOD BEARDSLEY, RAPID7

Senior Security Research Manager at RAPID7 

As an expert in cyber security, how do you prioritize patching in a multi-layered approach to data safety?

Routine patching is a critical component of any IT security plan. All software ships with bugs, and some of those bugs expose security vulnerabilities, so staying on top of patches is part of regular cyber hygiene.

How would you explain the importance of patching so your grandma can understand it?

A better task is to explain patching so that my management can understand it. The usual concern is that patching tends to mean downtime for rebooting, but my argument usually goes something like, “if this is so critical that we can’t afford unscheduled downtime, it’s critical enough that we need to patch it so it doesn’t go down on an attacker’s schedule.”

A question on every user’s mind: why is software so vulnerable? And what can software users do about it?

We build software today to be minimally viable, and rely on patching to deal with bugs once the software is in the field. You could take forever building perfect software, but at some point, you need to ship it. Building network connected software is just about the most complex task humans perform, so it’s unsurprising that bugs are shipped. It’s okay to ship bugs, as long as a patching system is in place. Unfortunately, with many IoT devices, that patching system is either absent or difficult to use.

What is your main, practical advice for users regarding patching?

If it’s possible to enable automatic updates, enable it. If it’s not possible, look for alternative solutions that support automatic patching. We know that users have a hard time keeping up on manual patches, so automating it is critical to keeping up with necessary fixes.

How could users cultivate a healthy habit of keeping their software up to date? Would you recommend any particular tools?

Ideally, users would need to do nothing to make sure they’re running the latest version. Anything that requires intervention, at this point, should be treated as somewhat broken. This is especially true for end users and consumers. In the event you are stuck with an application that does not support automatic patching, setting a calendar reminder with specific instructions would go a long way. Applying patches are the bills you need to pay to keep your software minimally secure, so schedule them like bills.

On a corporate/institutional scale, what could help more companies leverage the benefits of patching as a proactive security measure?

Organizations need to select software solutions where updates are a core function of the software itself. These updates need to be automatic, scheduled, cause minimal interruptions, and be delivered in a cryptographically secure manner.

Conclusion

I hope that now, after you’ve valiantly read through this expert roundup, you’ve come to realize that you just can’t ignore software updates anymore. You may have disregarded them as unimportant until now, but now you know that they’re vital. I hope you’ll take the simple steps to integrate software updates into your digital routine. You’ll not only make the web a safer place for your data, but for everyone else as well. (There’s one more reason to feel gooooood about it!)