Software Updates, Windows Updates, and Application Updates
It seems we can't go a single day anymore without our operating system, application, tablet, mobile phone, and even smart watch asking for a software update. While sometimes these updates bring new features or cosmetic fixes, they almost invariably include security fixes too. Nearly every piece of modern software a consumer uses has bugs, and as they become known to the software vendor, they are constantly working to patch these bugs. That's part of the reason for these regular release schedules.
When I started in the MSP industry managing updates (patch management as it's called in the business) was a big part of what we did. It was a value-add we talked about a lot. It's become decidedly less interesting to people these days, but it is actually as important as ever!
What Needs Patching and Updating?
The short answer is... everything. But here's a quick list to be thinking about:
- Operating systems (Windows, Mac OS, and Linux)
- Primary Applications (Microsoft Office, ERP systems, Accounting Systems, Chat applications, etc.)
- Web Browsers and browser plug-ins (Google Chrome, Firefox, Adobe Flash, etc.)
- Firewalls, Switches, Access Points, and other networking equipment
- Server Firmware and BIOS
- Mobile device operating systems (iOS and Android)
- Mobile device applications
Another area that's becoming more prominent is the Internet of Things (IoT). Many of our other devices these days are connected to our networks, and unless we've secured them other ways, we should be considering them in the fold of devices we manage and maintain software updates for:
- AppleTV or ChromeBox
- Network Printers, Scanners and Multifunctions
- VoIP phones
- Network Audio Equipment (Sonos)
- Video Conferencing Equipment
- Smart TV's
- Video Cameras and Surveilance
- Security Systems and Equipment
What Does Patching Really Do For Me?
The most important thing patching does for your business is adds security to the environment. Patches fix known vulnerabilities. Once vulnerabilities are known to hackers, they become much faster and easier for them to exploit. Because hackers know many individuals and businesses don't have good update hygiene, there will be a lot of people that can still take advantage of this even though the software bug has already been fixed by the vendor. Sometimes hackers aren't even aware of a vulnerability until the patch is released by the vendor. Still to this day, there are computers and devices on the Internet that are susceptible to very old malicious software (viruses, malware, adware, ransomware, etc.) even though a patch has long been released. The easiest way to keep most risks at bay is good patch management.
There are risks called "zero-day" attacks. These are vulnerabilities that are often discovered by hackers and are usually unknown to the software manufacturer as well. In fact, there's a whole dark market of people selling zero- day attacks, and depending on what they do, they can be very valuable to criminals. Patching won't help zero-day attacks when malicious software attacks it immediately, but good patch strategy will help when the software manufacturer releases a patch, which is usually really fast. This is also why other security measures like AV/AM software and deep packet inspection (DPI) firewalls are important, among a few other things outside of this blog post.
How do I do this?
One option, of course, is to hire a Managed Services Provider like Be Structured to manage this for you. There's the plug for our services. But if you want to do it on your own here's the quick list of what to do:
- Identify all the devices on your network that need to be patched. Make as complete of an inventory as possible.
- Next, find systems that can manage these updates for you. Running around patching individual systems is far too time consuming. In the Microsoft world there's Microsoft Windows Update Server (WSUS), Apple has great products like JAMF, and many IoT devices these days allow for auto-update settings to be setup on them.
- Finally, when you're all setup with your patch systems, you need to manage things. Run monthly reports confirming things are patching OK and deal with problematic systems that didn't run a patch successfully. Also, for systems you couldn't automate, run those patches on a schedule of your choosing manually.
While patch management might not be the exciting topic (was it ever really that exciting?) that it was 10 years ago, it's still critical, and with the Internet of Things (IoT) and basically everything being on the network these days, it's become more complex than ever. Remember when we all just had a Windows or Mac computer and that was our only work device? Regardless, it's important to stay on top of this part of your network and security infrastructure. Give us a call if you want some help accessing your patch strategy!