I’ve written a post about this on my Security blog, and you can read all about it here. Essentially, don’t panic and follow the advice provided in it (from the National Cyber Security Centre).
I suppose this falls under Security 101, one of the most basic things we’re all encouraged to do with our technology, but there’s always a reason to postpone it:
- My machine slows down while it’s downloading the latest patches
- I’m worried that things won’t work afterwards
- I keep having to reboot my machine, sometimes several times during one set of updates
- I’m busy just now, can I not just do it later?
- I don’t use the Internet much, so my device can’t be infected
- I’m not using Microsoft, so there’s no need to patch
- ….and, well, you know how it goes on….
I’m sure you’ve got your own versions of these, but the point is that these are all just excuses for something that should just be part of your normal experience – in my opinion.
Should we patch absolutely everything? I.e. should we install all updates for all products as soon as they’re available? No, I don’t think so. We should base our patching strategy on a risk assessment. If you find out about a patch for one software programme – let’s say Microsoft PowerPoint – but don’t have PowerPoint on your device, do you need to apply that patch? Not if it only addresses vulnerabilities in PowerPoint, as your device doesn’t have that vulnerability. But if the patch includes other packages which you do have installed eg Excel, then yes, you should.
Why am I picking on Microsoft? Just in order to use program names that we’re most likely to be familiar with. The same principles apply equally to other vendors and other software packages. Software has vulnerabilities, it’s inevitable. If there are none on the day it is released someone somewhere will find some soon afterwards. And the more valuable the data you access through the software, the more likely someone is try to create an exploit for that vulnerability.
In my opinion, you should patch regularly i.e. keep patches up to date. Apart from anything else, this lessens the amount of time spent downloading updates, as you’re keeping on top of things (in many respects, the same goes for antivirus updates too). Patch what you have to, but eg if the patch is for a Mac and you’re using Linux, why apply a Mac patch unless the patch also applies to Linux devices.
Not using the Internet often is no protection either. The only truly secure device (from Internet attack anyway) is one which does not have any form of external interface (wifi, wired, serial cable, whatever) and which is never connected. Some well known legitimate websites have been targeted and have had malicious code embedded in them, infecting users who are only browsing (because no software is totally secure, right?). Botnets are out there looking (in an automated way) for vulernable machines, so you only need to connect once to run the risk of infection. It’s a bit like contraception – if you don’t ever have sex, you’re unlikely to get pregnant, but do it just once without any form of protection and pregnancy is a very real risk.
If you’re only looking at your personal / home PC / laptop / tablet etc, then you’re unlikely to have a test environment. This is the best place to try out new patches, but if you’re a home user then you probably don’t have the luxury of testing things there. In any event, its notoriously difficult to configure your test environment to exactly match your real, live environment, down to version numbers of DLLs and other components, so you’re probably just testing in a representation of your live environment and there will still be some risk when you deploy for real. So what should you do?
This is where having a good, robust (and tested) backup regime comes in. More on that in a future post, so watch this space…