Bite size Cyber: #1 Patching

Are you new to cyber security, and / or is it something you’ve been asked to look at for your organisation? Are you struggling to find sensible advice which is practical and pragmatic? Are you looking for some simple steps which you can follow to help get the ball rolling? Then this short series of articles is for you.

The intention is to provide some bite size nuggets of information which you can apply and which will rapidly help secure your organisation, whether its a company of 2 people or 200 (or 20,000 for that matter).

We’ll also look at other sources of information along the way, which you can read in your own time and which will help provide more context to the topics covered here.

Oh, and just as an aside, elsewhere on this site you’ll find a handy A-Z of terms, so if there’s something mentioned which you don’t know or understand, check that out. If you can’t find what you need there, please do drop me a line.

What you need to know

Let’s start with one of the basic elements when protecting systems, which is patching. When you think about a car or bike tyre, you know that occasionally they get holes in them, and the way they get fixed is by applying a patch. This is where the term patching comes from.

All software is likely to have holes in it which attackers can use to target systems. These holes are called vulnerabilities, and some are apparent from the day the software is written, and some are undiscovered for months or years. Some of these vulnerabilities are related to making the software work properly, and some are related to security issues. A software patch is a piece of code which removes the vulnerability.

Many vendors provide patches to their software on a regular basis. For example, Microsoft typically issue their patches on the second Tuesday of every month: in the industry this is known as “Patch Tuesday”. Other vendors have a different release schedule, and you can easily find out when they are.

You also need to be aware that when patches are released the manufacturer typically gives an indication of the urgency, severity or priority with which they need to be applied. Different vendors have different terms for these patches.

It’s worth remembering that many of us have mobile devices like smartphones and tablets which tell us when patches are ready to be installed. Make sure that you apply those patches when prompted.

What you need to do

  1. Check what software you have, and find out when patches are released.
  2. Ensure that all devices in your organisation have the latest patches installed. Don’t forget to include servers, mobile devices, firewalls and other network devices in the list of equipment to be patched.
  3. Develop a plan – and implement it – to download patches when they are released.
    1. Ensure that the plan includes a step to test the patches on a subset of the machines in your organisation before rolling them out to all machines.
  4. Develop a patch schedule and stick to it. Bear in mind that after a patch has been applied computers may need to be rebooted. After the reboot, check that the patch has been installed effectively.
  5. Install the patches in a timely manner. For example, urgent patches should be applied as soon as possible, but low priority patches can be applied at a more leisurely pace.

Further reading

There are a number of articles on patching around this site, but you may also want to read some “official” guidance. I always recommend the UK Government’s 10 Steps to Cyber Security as a good source of independent, industry standard, information.

You may even decide that, when the time is right, you want to put your organisation through formal security certification and the UK Government’s Cyber Essentials scheme is a good place to start with that.

Shadow IT

Have you heard of Shadow IT? Do you worry about it?

Many organisations have a defined IT policy and processes surrounding it. They may outsource provision to a Third Party, or they may have their own IT department, even if that’s just Billy sitting in the corner, who is totally self taught.

The organisation may have a standard build for all their equipment, and may use only one brand of equipment, which should make managing security risks quite well defined and limited.

However, there may be individuals or whole teams that don’t use the company standard. There might be an MD who really wants to do everything on a tablet device, but the company has a strict “no tablet” policy. There might be a team that installs its own network connection “just in case the company one fails”. And then there’s George in Marketing who prefers to use his Mac to the standard Windows machines.

The MD goes ahead and connects her tablet to the corporate network. The team with their own network connection leave it live and accessible 24×7: there’s no firewall and no way of blocking traffic coming in or going out. George brings in his own Mac and plugs it in to the network. None of these involve the IT or security teams, consequently the risk is unknown and therefore not managed.

These are all examples of Shadow IT – the unknown equipment attached to the corporate network which has little or no security controls in place. Many organisations have a problem with the proliferation of Shadow IT devices.

I think that we’re rapidly approaching – or may already have passed – the moment when we have to stop thinking of it as Shadow IT, and makes sure that our controls can take the plethora of unofficial devices and configurations.

For example, it may be prudent to create a kind of “internal guest network”, for non-standard / uncontrolled devices. This could be easy to connect to but provides an additional layer of control. Using some kind of Mobile Device Management (MDM) solution allows you to provide some services to personal mobile devices, while also giving the ability to remotely wipe the data on them if necessary.

I think we need to be having that conversation in the organisations we work in or encounter. Rather than calling it “rogue” or Shadow IT, call it uncontrolled then work out how to control it.

Z is for …

Zero Day

The time taken between a vulnerability existing and a patch being released to fix it can be several weeks, months or even years. An exploit written to take advantage of this gap is known as a Zero Day.

The bad guys are particularly interested in carrying out attacks against systems with vulnerabilities but no patches, for obvious reasons: it’s very difficult to defend agaisnt them.

Depending on the level of access the zero day can provide, or the damage a bad actor can cause with it, will have an effect on the value of each zero day attack on the Dark Web. Some may sell for “only” a few thousands of pounds, but some can fetch well into five figures, if not more.

A very famous attack carried out using zero days is explained in the film of the same name. It tells the story of an attempt to disrupt the Iranian nuclear programme some years ago, and is well worth watching.

Alexa – can you eavesdrop on us please

After my post last week about the Panorama programme here in the UK, there was a story in the news today about a couple in the US who were surprised by a call from a friend who had been emailed a recording of their conversation. Read all about it here. And no, I couldn’t believe Amazon’s excuse either!

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.