Forgotten Security: Patching and Updating

December 17, 2009 by ADMIN

Share |

By Simon Heron, CISSP Internet Security Analyst

The fourth guide in our ‘Forgotten Security’ series, Forgotten Security: Keeping up to date, is targeted at IT teams, encouraging them to take another look at their procedures, ensuring that they cover both software and equipment.

A fully updated system is protected against the latest threats.

For example, we’ve seen hospitals falling victim to the Conficker attack months after the patches were released.

If the systems had been updated as soon as the patches were available they would have been immune to infection.

It’s not just software we need to keep updated.

Failure to update equipment such as routers could result in organisations’ websites falling victim to denial of service attacks which could impact reputation and sales.

The guide, which is published today and available for free download from our website or as a pdf, here http://www.network-box.co.uk/sites/default/files/NBWP_forgotten_security_4_up_to-date.pdf, advocates a considered approach to installing updates.

Before installing, it’s important to ask whether the update is actually needed, as installing the wrong patch can crash an entire system.

To help clarify the situation, the guide provides a checklist for IT teams to use before initializing the update process.

For example, is the patch provided by the system vendor? Is the patch compatible with the company’s system?

Having fully updated and patched software and equipment is a vitally important element of a company’s IT security, but is often overlooked.

Businesses need to make system security the primary concern when they purchase a system, service or device.

They need to ask essential questions such as:

•   How easy is the system to update?
•   What does the vendor do to make you aware about any issues?
•   Where can solutions be downloaded and installed?
•   How can patches be tested?
•   Can to roll back the system to its pre-update status?

All of the ‘Forgotten Security’ guides are available for free download from the Network Box website.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

Simon Heron has over 19 years experience in the IT industry, including nine years experience in Internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs. Simon has an MSc (attained with Distinction) in Microprocessor Technology and Applications, and a BSc (Hons) in Naval Architecture and Shipbuilding and is a CISSP (Certified Information Systems Security Professional). Prior to Net Caboose, Simon co-founded Network Box Corporation (UK) Ltd and was Managing Director, finally merging this franchise with the parent company in 2006. Before Network Box, Simon joined the British Antarctic Survey (B.A.S.) as science project leader, and spent two Antarctic winters at the research station Halley in the Antarctic, developing and enhancing graphical technologies in the harshest of conditions. Simon also has a company called Net Caboose which deals with Identity and Access Management and is also development house.

Network Box Limited (NBL) is an international managed security services company, specialising in unified threat management (UTM). It continuously defends the networks of its customers using PUSH technology to instantaneously update protection, from 12 Security Operations Centres spread around the globe. NBL’s customers in Asia, Australia, North America and Europe include companies such as BMW, Nintendo and Toyota, as well as banks, utilities companies and government organisations.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.

Share |

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, Sarbanes-Oxley, Simon Heron, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy

Tags: (ISC)2, 2009, access, advice, Anthony M. Freed, best practices, Breach, breaches, bypass, CGEIT, China, CIPP, CISA, CISM, CISSP, computer, confidential, consumer product liability, control, Costs, CPA, criminal, CSI, cyber security, cyber-crime, cybersecurity, D and O liability, Data, DRI, due diligence, Economy, electronic database, email, Finance, Financial, Financial Identity, Financial InfoSec, firewall, fraud, globalization, governance, hackers, homeland Security, how to, ID, identity thief, IIA, infection, Infoduciary, Information, Information Fiduciary, Information-Security-Resources.com, InfoSec, infrastructure, ISACA, ISR, ISSA, ITRC, law, legal, liability, login, malware, misuse, Network Box Limited, News, November, online fraud, passwords, PC, Report, risk, scams, scareware, Security, Simon Heron, Social Networking, spam, SQL Injection Attacks, stealing data, students, System, systems, theft, third party, Trojan, tutorial, vendors, zero day attack

Comments

One Comment on Forgotten Security: Patching and Updating

Scott on Mon, 21st Dec 2009 9:12 pm

Simon, I would add one more item to your checklist:

- If the patch is inappropriate, non-compatible, or otherwise not deployable within the appropriate time frames, what controls are available that can be used to mitigate the risks identified with leaving the system unpatched?

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Categories
- Anthony M. Freed (26)
- Bill Brenner (2)
- Bob Violino (1)
- Bozidar Spirovski (23)
- Breach (540)
- Britt Womelsdorf (5)
- By Dr. InfoSec (2)
- Cara Garretson (7)
- CCCNews (1)
- Chorey Taylor & Feil (8)
- Christophe Veltsos (2)
- Christopher Burgess (7)
- CIOZone (26)
- Class Action Lawsuit (111)
- Cloud computing (106)
- Coby Royer (5)
- CTO Forum (9)
- D&O Liability (594)
- Daniel Wallace (5)
- Danny Lieberman (11)
- DataLine (10)
- David Alexander (2)
- Derek Crawford (1)
- Doug Pollack (7)
- due diligence (303)
- Fame Foundry (1)
- FEATURE ARTICLE (428)
- Financial (580)
- Fred Leland (7)
- Gene Kim (3)
- Government (366)
- Greg George (5)
- H1N1 (15)
- hackers (532)
- healthcare (127)
- Heather Bourgoin (1)
- HomeATM (8)
- identity-theft (528)
- IDExperts (17)
- Ike Z. Devji (1)
- Infosec Island Network (31)
- Insider Threat (483)
- Internet Crime Complaint Center (1)
- Internet Security Alliance (64)
- ISR News (321)
- Jacqueline Herships (2)
- Jenni Hesterman (3)
- John M. Salomon (2)
- John Watkins (7)
- John-Patrick Skaar (2)
- Kaliber Data Security and Compliance Consultants (3)
- Kat Sanders (2)
- Ken Leeser (3)
- Kevin L. Jackson (10)
- Kevin M. Nixon (21)
- Larry Ketchersid (1)
- Laton McCartney (7)
- Lauren Taylor (1)
- Linda McGlasson (1)
- malware (494)
- Mark Smail (1)
- Mark Wright (1)
- Mel Duvall (3)
- Michael Eggebrecht (3)
- Michael Lohr (1)
- Michael O'Conner (4)
- MicroSolved (1)
- Mike Duncan (3)
- Mike Meikle (4)
- Mike Spinney (1)
- Military (204)
- national security (446)
- PCI (301)
- PCI Security Standards Council (32)
- Physical Security (11)
- privacy (545)
- Rachel James (10)
- reach (4)
- Rebecca Herold (16)
- Richard Stiennon (44)
- Robert Siciliano (34)
- Sarbanes-Oxley (495)
- ScamStop (2)
- Sean Wilkins (2)
- Semyon Dukach (1)
- Simon Heron (14)
- Software Associates (11)
- Steven Fox (19)
- SUPERAntiSpyware (3)
- Sybase (6)
- Symplified (5)
- The Jester (8)
- The Privacy Professor (16)
- Thomas R. Fox (8)
- Tom Groenfeldt (2)
- Tom McLain (2)
- Trefis (14)
- Tripwire (18)
- Uncategorized (621)
- virtualization (94)
- Webcast (49)

Information Security Resources

Forgotten Security: Patching and Updating

Comments

One Comment on Forgotten Security: Patching and Updating

ISR Headline Index

Recent Comments

Categories