Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Good security begins with the endpoint in mind

Robert C. Covington | March 4, 2016
Robert C. Covington highlights the common excuses for poor patch practices, and offer specific suggestions for improvement.

Let's begin today with a quick quiz: What percentage of the PCs in your business or organization have all of the required patches for the operating system and application software? I'll bet you are tempted to say 100%, since you probably assume that your workstations are set to get updates automatically.

Here is an easier question: Does YOUR workstation have all of the available patches? If you are like most, the answer to either question is no. 

I have performed security assessments for a number of customers, many of whom are quite security conscious, and I have yet to find a single customer who has even a simple majority of workstations -- or endpoints as they are often known -- patched properly. Why, you ask? Here are the common excuses I find.

Ignorance is bliss -- assume the manufacturer/supplier is smart enough to configure a new endpoint properly, so trust their judgment and don't worry about it. 

Our policy is law -- we have a written policy requiring that employees keep their workstations patched and up-to-date, and we trust our people. 

Automation rules -- we verify that all workstations are set for automatic updates, and trust the software to take care of itself. 

Unfortunately, none of the above is a reliable means of ensuring that endpoints remain patched. You cannot rely on the initial software installation to ensure that updates take place automatically. Automation, even Microsoft Windows Update, probably the most proven automatic update mechanism in the industry, breaks down with some frequency. Finally, since updates usually require a reboot, when your employees are given control they will often turn off automation and ignore prompts, so they can focus on their work. It is hard to completely fault them for that. 

If your organization uses Macs instead of Windows PCs, you are not immune to patch issues. The Apple update process, while inherently automatic, often requires some user intervention. As I noted above, employees can be counted on to focus on their work, ignoring or delaying patches. Additionally, Apple users often suffer from what I call "Mac euphoria syndrome," which is the irrational belief that since Macs have traditionally few suffered security issues, they don't have to worry. 

Now, I will be the first to admit that this is a challenging problem for all but the smallest companies. If your organization has three PCs, it is easy enough to put a note on your calendar to check their update status every week, and least for the operating system. By the time you reach 10 PCs, this becomes a major task. More than that, and either more personnel or some automation is required to keep up. 

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.