You might be getting for software updates several times. Though knowing it’s important, you might be ignoring it always.
Surely there are reasons behind ignorance – “Sending an email to the client is important right now”; “It’s my presentation day today so I need to finish the presentation”; “What if something breaks?”
But, when something goes wrong with your software, you hear the nagging voice at the back of our head saying we made a bad decision.
You need to hear it clearly that software updates can’t wait – significantly when it comes to your servers or business systems. Software updates contain critical bug fixes which if left unpatched; your system is a fish in the barrel for the hackers.
The MITRE vulnerability database analyzed that the number of software vulnerabilities keeps increasing every year. As the vulnerabilities increase, there’s a greater the chance to get success for hackers.
There are unlimited vulnerabilities every year which mostly contain high profile hacks being reported daily. Even after hearing all this, several business people keep the systems unpatched. Let’s check out why?
There’s NO notification – You get continuous update notifications on phone or laptop without any login. But unless you don’t log in to web applications or servers, you won’t be able to see a notification. There are chances you might miss those notifications.
There are TOO MANY notifications – You get numerous notifications every day as there are many applications and systems used. So you keep on thinking – “I will do it later”.
Uncertainty about updates breaking things – You might recall the struggle of a past upgrade that went horribly wrong and so, want to play it safe now.
Upgrades are not straight-forward – There are some applications like WordPress which permit you to upgrade at one click of a button. But there are several applications wherein the upgrade process might be complicated. You may need to download a zip file and then unzip it, upload it to the server and wait for the results to come after an upgrade is done.
It always pops up in the middle something more pressing – the notifications pop-up when you’re about to call a client or while making that all-important presentation or just before you wrap up for the day. And so click on “Later”.
It won’t happen to me – There are several bad things happening daily in IT industry, but we are confident that the same won’t happen to us. You then postpone that update by 2 more days saying that it won’t do you any harm.
Patching a Server and updating it, might be a tough job and sometimes also a bit complicated. But remember, putting off available updates isn’t a good idea.
- Configure update/patch notifications for everything
Emergency patches are released by many companies due to the public vulnerability disclosures. In order to secure your system, these patches need to be applied without wasting much time. What if you don’t get the update notification? You won’t be able to update right.
Setting up update notifications for all the applications would be better so that you update the applications when required. There are servers such as RedHat Linux wherein you can configure special tools like Yum-Cron for this purpose.
- Subscribe to security mailing lists
It’s a fact that application vendors take a long time to patch a publicly disclosed vulnerability. When such vulnerabilities are detected, security researchers’ advice to wait for updates until a full patch is available since it can be an exploit attempt.
To get the advice from security researchers it’s better to subscribe to as many security channels as possible. Also, ensure that you include application related channels used by you.
Note : In some cases, there wouldn’t be a mitigation strategy available immediately. If this is the situation, contacting a security expert to evaluate what options are available would be best.
- Identify critical security updates – apply them immediately
After receiving an update notification, check the list for any security-related entries. These entries will have a CVE number associated with it.
Look out for those that have terms like “denial of service”, “remote”, “arbitrary code execution”, etc. related to it. These vulnerabilities have the power to cripple your business. Patch them immediately.
Remember that you go through all update notifications. Check for critical vulnerabilities and if you find any, patch it right away. Ignorance would lead to distractions.
- Setup auto-update of security patches where possible
Configuring auto-updates is possible for many applications. This will save your valuable time when you face high severity vulnerabilities.
Remember auto-updates can break applications. This feature can, therefore, be employed only if you haven’t made any custom configuration changes.
Configuring auto-updates for security fixes (called minor releases) and setting it up for manual updates for major releases (which might break other themes, plugins, etc.) is possible in some applications like WordPress.
- Use test servers if you suspect software conflicts
It’s impossible to apply all updates at once. But if your server or applications are customized, new updates could break existing functionality or even cause downtime.
If you think that an update can cause such an issue, trying out the new patches on a test server would be logical. Set observation time and then apply the patches if all is working fine. Looking at the user reports for compatibility issues on vendor forums will be a good idea.
No doubt, software updates are important. One can’t afford to miss any of them for securing your system.