We’ve all seen them, whether we are at work or at home, those update boxes that pop up and tell us that there’s a new version of some piece of software that we probably didn’t know we had or didn’t think was important. We’ve all probably had the same reaction: I’ll definitely do that the next time I’m on my computer.
Understandable. Updates take time. Upgrades can take longer. Too often it’s time we don’t have or time we don’t want to invest. But invest we should, because a system that’s not updated or not upgraded is a vulnerable system.
Creating Unnecessary Risk
Often, these updates and upgrades aren’t just pushed out to offer a new feature that we’ll never use. Usually, updates correct broken functionality or, more importantly, plug a security hole. In our world those security holes are called known vulnerabilities. They are the unlocked door that lets the criminally minded into your network. If you don’t update your software then you are leaving the door unlocked.
A similar argument can be made for software that needs to be upgraded except that the problem can actually be worse. That’s because software versions are eventually retired and left unsupported. Unsupported software isn’t updated. Any vulnerabilities in that older software remain vulnerabilities. Unless you can figure out a way to lock those doors they will remain unlocked. And, honestly, you probably can’t build a lock as strong as the software manufacturer can. Whatever patch you come up with won’t be fool proof.
There’s an interesting example out of Europe on the importance of upgrading software. While the example isn’t necessarily an apples to apples comparison, it does point out the risks you run if you decide to operate vital systems on software that’s out of date.
Orly International Airport is the second busiest airport in Paris. On November 7, a glitch in a computer system that helps air traffic controllers with things like take off and landings when the weather is bad caused the planes there to be grounded. Why did this glitch happen? Partly, it’s because this very vital piece of software was running on Windows 3.1, an operating system that was released in 1992 and retired by Microsoft in 2001. It’s been gone longer than it was an actively supported software package.
Still, does it make sense to run a piece of software that critical to the safety of millions of people on an operating system that has been obsolete for almost 15 years? No, it doesn’t. But before we collectively wag a finger in judgment, we’d be served well to remember that Orly is not alone. There is, no doubt, a countless number of other companies that are using outdated or non-updated software as the backbone of their business.
Putting Unneeded Stress on Your Security Tools
So, how do you fix this problem, besides the obvious answer of “update and upgrade your software?” Like a lot of what we talk about here, it’s going to depend on your network and the controls you have on your endpoints. If you have mostly desktop computers and are able to access them remotely you can go in behind the scenes, and make manual updates. Otherwise, it’s critical that you create some sort of system to ensure that your users are keeping their software updated.
A lot of time is spent here talking about security mindsets and ways to keep your networks safe. A lot of that is with the right equipment helping you monitor and filter your traffic. But if you aren’t taking care of basics all those other measures are wasted effort. A system that has out of date software is asking those devices put in place to protect it to do extra work that’s ultimately unnecessary.