Section VII: Cyber Hygiene Part II
Have you noticed a running thread throughout the previous pages? The standard first defense is "keep your software up-to-date". It might be the only defense short of disconnecting from the Internet.
US-CERT describes patches as software that repair holes in software programs similar to the way fabric patches are used to repair holes in clothing. When patches are available, vendors usually put them on their websites for users to download. It is important to install a patch as soon as possible to protect your computer from attackers who would take advantage of the vulnerability. Attackers may target vulnerabilities for months or even years after patches are available. Some software will automatically check for updates. If your vendor offers the option to receive automatic notification of updates, accept the offer. Make sure that you only download software or patches from websites that you trust.
Note that vendors generally release a description of what is addressed by the patches or updates. Sometimes a patch may break a needed feature. Usually, the vendor will acknowledge this short-coming and suggest a work-around until a more robust patch is available. Check the vendor's web site for details.
Much has been said that may make you think you are safe because you are using a Macintosh computer. PCs running windows get most of the attention because there are more of them. While Macs may not be vulnerable to some of these common infections, they can certainly spread the "disease" through email, contaminated documents, infected websites, etc. Software applications such as Adobe, Microsoft Office, Firefox, Thunderbird, etc., are common across Macs and PCs. Attacks directed towards Macs and Linux computers are on the rise. BOTnets are everywhere. So, heed the advice on the previous pages and remember the best defense against malware is to patch often.
Unpatched Vulnerabilities are the main Source of Most Data Breaches.
Studies show how patching continues to plague most organizations - with real consequences.
Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.
Half of the organizations in a new Ponemon Institute study conducted on behalf of ServiceNow say they were hit with one or more data breaches in the past two years, and 34% say they knew their systems were vulnerable prior to the attack. The study surveyed nearly 3,000 IT professionals worldwide on their patching practices.
Patching software security flaws by now should seem like a no-brainer for organizations, yet most organizations still struggle to keep up with and manage the process of applying software updates. "Detecting and prioritizing and getting vulnerabilities solved seems to be the most significant thing an organization can do [to prevent] getting breached," says Piero DePaoli, senior director of marketing at ServiceNow, of the report.
"Once a vuln and patch are announced, the race is on," he says. "How fast can a hacker weaponize it and take advantage of it" before organizations can get their patches applied, he says.
A data breach can and will affect many people.
See the number in the image on the left.
