The Cyber Essentials security update management controls
Patching
Software is made up of thousands of lines of code. Studies have found that in every 1000 lines of code there is on average 10-15 errors. Most of these errors are unnoticeable to the user, however, each error is a potential vulnerability. When vulnerabilities are discovered, reputable software developers release fixes as software updates to correct the known error, this is known as ‘patching’. Old and ‘unpatched’ software that has not been updated is therefore vulnerable to hackers and cyber criminals.
Cyber Essentials requires that all critical and high risk updates or updates with no details provided must be installed within 14 days of release by the vendor.
-
- Some vendors use different terms to describe the severity of vulnerabilities. ‘Critical’ or ‘high risk’ can also be described as a CVSS v3 base score of 7 or above, which uses the Common Vulnerability Scoring System ( CVSS) to provide a numerical representation of the severity of software vulnerabilities.
The easiest and most effective way to ensure that all your software is kept up to date is to turn on automatic updates on each of your devices. This will mean that patches are automatically applied when they are released by the respective vendor.
For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide.
-
- It is always a good idea to have backups of your data before updating.
- The National Cyber Security Centre has some useful guidance on installing software updates without breaking things.
Unsupported, legacy or end of life software
When software is unsupported, the vendor will cease to create and send out patches. The age of software when it becomes unsupported varies significantly between vendor.
At this point, the software is classed as ‘legacy’ or ‘end of life’ as it is no longer supported and therefore no longer secure to use. Not only are the vulnerabilities left un-patched, but they become public knowledge for security researchers and hackers alike who create programmes and services to make them easy to exploit, even for attackers with low levels of technical expertise.