Is the lack of policy for software updates killing IT security?by Steve Ragan - Jul 12 2010, 16:15
Is the lack of policy for software updates killing IT security?
A recent report from Secunia highlights the security ecosystem from 2005-2010, and while it offers a solid set of data, the underlying point is to demonstrate the need for software patching. To the point, Secunia says there is no security without updating, but does this claim hold water?
Secunia has said previously that 50-percent of users are found with 66 different programs from more than 22 vendors installed on their systems. In their latest report, the Secunia Half Year Report, they used data collected from PSI installations and singled out the top 50 programs found on a typical system.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft programs installed. This ratio is expected to grow to 4.4 before the end of 2010, Secunia said.
Overall, the report said that the operating system had little to do with the total number of vulnerabilities that a user is exposed to. Since 2007, Secunia noticed a significant rise in the number of vulnerabilities from third party software. During the first half of 2010, third party software was the primary risk factor on the typical PC.
To keep a typical end-user PC with 50 programs up to date, the user has one auto-update mechanism to patch 35% of the vulnerabilities, and another 13 or more update mechanisms to patch 65% of the vulnerabilities.
When translated to IT operations, these figures are serious, but not as dire as they seem.
“No security appliance, no new Operating System feature, and no new security program is going to eliminate the risk from running vulnerable software. To secure your network you must enforce a security updating policy, which dictates deployment of security related program updates within a given (short) time frame to minimize the window of exposure,” Secunia’s Thomas Kristensen wrote in a blog post on Monday.
Kristensen has a point. New software and features do not translate into instant security. Later in the blog post, where the call is made for businesses to “demand better security from the vendors” and for the vendors to spend significant resources building secure programs, another valid point is made.
I can agree that there needs to be more energy spent in building better code, but in reality that seems more like wishful thinking. Adobe, Apple, Microsoft, just to name three, have spend tons of money on R&D to develop better updating processes and harden their software.
Yet, each of them is constantly under the gun, and not a month goes by that one of them isn’t taking flack for something related to their security programs.
Even Secunia’s latest report shows that since 2005, Apple and Microsoft have consistently remained in one of the top three spots when it comes to the number of vulnerabilities found in their products. Adobe is a consistent presence in the top ten.
I do not agree that making updates easier will solve the security problems that IT faces. Updates are part of a process, but that’s it. They are not the entire process. Managing updates, even the automated deployments, takes manpower and planning. Something that is easier said than done.
While most of the IT staff runs about the company putting out fires, the last thing on their mind is whether the systems with iTunes installed are using the latest version. Maybe IT should be thinking of this, but when there are systems to build, executives to support, and helpdesk phone calls to answer, the typical IT person simply has to pick their battles, and in most cases, third party updates will lose.
When it comes to things like iTunes, Firefox installations, or VLC, there will always be miscellaneous programs that will creep past the installation policies and cause an issue. It’s a fact of life, and while the rest of the company cannot have iTunes installed, you’d better believe that of the CFO or CEO had it installed, it is supported and allowed without question.
Applications like Adobe are an evil all their own. However, Adobe has made a serious push to clean up their security image. In IT this means that instead of just Microsoft, there is now planning for Adobe patches.
While it is a third party application, it isn’t considered an outsider anymore. Adobe offers programs that are simply a part of a business system’s image. Like Windows, Adobe Acrobat and Adobe Reader are monitored, and patches pushed as needed.
In my opinion, it’s easier to choose your battles. Building a security program based largely on software updates offers no more security to the endpoint than a plan centering on prioritizing operating system patches as well as critical software patches and merging them with layered defenses.
In the end, software updates or not, if an attacker is serious enough, they will get to your network. That’s why it is my belief that having both a proactive stance and a response plan is the best way to manage security when protecting assets in a business.
What is your stance on software security in IT? Are businesses exposed to too much risk because of a lack in update policies? How would you balance software updates with the overall security of a network? Chime in below and have your say, even if it is just to tell me I need to put the pipe down.
[This editorial is the opinion of Steve Ragan, and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to firstname.lastname@example.org]