Whether you are an enterprise server administrator or a casual home PC user, you likely have some level of awareness when it comes to keeping things on your computer updated, such as your Windows operating system and common programs like Adobe Flash and Reader. But you might also have a plethora of other things connected to your network as well – cameras, printers, scanners, storage, and so on. How about these devices? Do you really need to be so aggressive about updating all of them as well – even if they are happily humming along and working as expected?
The answer, as my eight-year-old son might say, is “Oh my gosh, totally yes.” Let me break it down and give you some examples and anecdotes about why it’s so important to patch all the things:
I do not think there can be enough importance put on making sure your operating system is patched on a regular basis. The second Tuesday of every month is often referred to as “Patch Tuesday,” and it’s when Microsoft releases new updates and security fixes. However, I wouldn’t necessarily recommend installing them the second they come out. Every once in a while Microsoft has an “oops!” moment and they quickly pull a patch out of circulation to fix it. I’ve been bit a few times by this, so my general rule of thumb is to wait until the Friday or Saturday after patch Tuesday, and do some looking around on Google – usually just searching the phrase “Microsoft Patch Tuesday” will bring any issues to the top of the search results. Last week I even found a blog dedicated to patch Tuesday that might be worth checking out (http://blog.lumension.com/patch-tuesday/). If the coast looks clear, go ahead and install the patches.
On a slightly related note, I once had a heated discussion with a customer who was convinced that patching the operating system was only necessary if something about it was functionally broken. While it is true that patching software can fix functional problems, the bigger concern is security. Unpatched operating systems often have security flaws that allow attackers to “own” (take over) the entire machine and use it to send spam, steal information, attack other machines and basically wreak havoc on your network. So take away this low-hanging fruit from attackers by patching your operating systems regularly.
Adobe Reader and Flash, as well as Java, are two huge targets for viruses and other exploits. That might be why it feels like a new version of these programs are available for download every 17 minutes. Still, annoying as that may be, the updates for these programs often include critical security fixes, so they should be tended to regularly.
However, heed this warning: many corporate applications rely on a certain version of Java being installed, so consult your system administrator before making any changes to your Java configuration. If you are certain you want to install the latest update, read Oracle’s article on how to do so (https://www.java.com/en/download/help/java_update.xml).
Not to get too techy, but I wanted to offer one other tip as it relates to Java. If you know you do not need Java on your machine, I recommend uninstalling it entirely. Java has an article on this (http://www.java.com/en/download/help/uninstall_java.xml), or if you have multiple versions of Java installed and just need to surgically remove all of them in one sweep, check out JavaRa (https://singularlabs.com/software/javara/). A happy medium might be to “unplug” Java from your Web browser while doing casual browsing, and enable Java only when you need it. Brian Krebs has a great article that will walk you through that setup (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/). Following any of these approaches will significantly reduce your chances of being bit by a Java-related hack.
Your Web browser
Technically this is third party software too, but it deserves special attention. These days, the Web browser is often the weakest link and biggest target for viruses and exploits. I would generally stay away from using Internet Explorer (the reasons why could be an article of its own) in favor of Firefox and Chrome. Both of these do a good job of self-updating or regularly asking you to install the latest update if one is detected.
But, if you are not sure if you’re running the latest, follow these steps to check manually:
- Internet Explorer – updates to IE should come through the regular Windows Updates your machine receives, or you can check manually (http://windows.microsoft.com/en-us/internet-explorer/download-ie).
- Firefox – by default, newer versions of Firefox should prompt you to update the software automatically. However, I’ve had a few of my machines “forget” this regular check, so it’s not a bad idea to verify it yourself once in a while (https://support.mozilla.org/en-US/kb/update-firefox-latest-version).
- Chrome – this browser should also keep itself current without user intervention. It downloads updates in the background automatically and installs them when you close and reopen the browser. Google has an article with more information (https://support.google.com/chrome/answer/95414?hl=en).
This is a big one too. Many of you have the inexpensive Belkin/D-Link/Linksys routers managing your Internet connection at home. In the last few years, researchers have found serious vulnerabilities with many of these routers, so you need to make sure they are up to date as well. Head to the vendor’s Web site (usually in the support area), where there should be updated firmware to install.
Some people cry uncle at this point and are terrified of getting this “techy,” but in most cases it is not as hard as you might think. Here’s an example: I have an old Linksys WRT54G router sitting at home, and this bad boy was quite popular back in the day. If I wanted to get this router back up and running but was a little skittish about doing so, a simple YouTube search for “update WRT54G firmware” treats me to a page of how-to videos to walk me through it, step by step.
Make sure any cameras or home automation equipment you have are kept up to date as well. These are often overlooked but shouldn’t be, especially considering a compromise of these systems could lead to serious loss of physical privacy and/or security.
As an example, a family in Houston was terrified last year when an attacker apparently hacked into a baby monitor and used the built-in mic to say inappropriate things to their sleeping toddler (http://www.theblaze.com/stories/2013/08/14/terrifying-voice-on-the-other-end-of-hacked-baby-monitor-wake-up-allyson-you-little/). In this case, the attackers may have leveraged weak device credentials to log into the router and/or baby monitor, but still, it is a scary reminder to take the security of these devices seriously. The process for applying updates on home automation equipment is usually similar to that of routers – grab the latest software package from the manufacturer and apply it.
Speaking of passwords, you do have long and strong passwords on all your accounts and services, right? If not, see FRSecure’s article on this exact topic (https://frsecure.com/blog/how-to-remember-passwords-without-using-sticky-notes/).
Patching is a critical part of maintaining any personal or corporate network. It is not enough just to patch the Microsoft side of the house – you need to ensure all third party patches and other network devices are getting their proper care and feeding as well.
Curious about how well patched your network is? I would welcome the chance to talk with you about coming out to do a vulnerability scan and give things a fresh look. I can be reached at 952-467-6385 or at firstname.lastname@example.org.
Coming up next
In December, we will ring in the holiday month by sharing some online shopping tips to keep your credit card and other sensitive information as safe as possible.
Then we’ll kick off January 2015 with some ways to help your PC lose its holiday weight. Specifically, we will be discussing tips and programs to de-clutter your machine and get it performing in tip-top shape.