Welcome to part 6 of the Cyber Essentials blog series: Top 7 things you need to know before you start your assessment –
Here, we are going to talk about Applications also know as Third Party updates.
Let’s start with “What is Patching”
A patch is a small program, or in some cases a major update that is designed to resolve or fix a known issue.
Application updates can prove to be challenging in a number of ways.
Number 1 – Compared to our last post where we spoke about Operating System and Firmware updates, application updates typically don’t follow any regular release schedule.
Number 2 – It’s difficult to determine if your application is still receiving updates without searching the vendors websites, and even then – sometimes it’s not clear.
Number 3 – in most cases, well known applications updates themselves automatically, however by far the majority of applications don’t. They either require you to download the update or complete a version check.
Number 4 – You cannot rely on Microsoft or Apple to keep your applications updated. You will need to manage this process yourself. If you rely on an IT support company, they will need to invest in tools that cater for third party applications.
Why is it important to patch your programs
Generally speaking third party updates – or lack there of, contribute to a high number of cyber attacks.
It’s very difficult if not close to impossible to create a program that does not have any vulnerabilities. The industry has grown over the past several years and responsible companies now pay white hat hackers (good hackers) bounties to report any vulnerabilities. Even so it’s very difficult to find all bugs. You can earn hundreds of thousands of pounds for each vulnerability if it’s critical enough – so there is big money in this field.
“Black hat hackers” the bad guys, can earn even more – so this is a massive business in it’s own right.
Even when a patch is released, Bad guys will regularly review them and attempt to reverse engineer the fix, to identify what changes have been made, in a lot of instances they are then able to take advantage of unpatched computers. They will then write programs to specifically target these vulnerabilities.
This can happen as quickly as several hours to several weeks.
Cyber Essentials Policy
All applications must be supported and be receiving regular security updates, and again the 14 day rule applies to High and Critical updates. Therefore it’s important you regularly review which applications you have installed on your computers and mobile devices.
For smaller organisations, paper policy update controls will be sufficient, however for larger organisations an assessor would be looking for some form of technical control – however worst case this would be stated as an assessor comment on the feedback report.
You will need to list applications that are currently in use across your organisation, and don’t forget this also include mobile devices.
In section 8 of your Cyber Essentials question set, if you have mobile devices in scope you will likely select Control B – “Only allowing software from an App Store or “Application Whitelisting”. This goes onto ask you to implement controls to manage installed applications (this control doesn’t apply to normal computing devices as they typically have full blown antivirus installed) – more aimed at Android (where you choose not to install AV – I recommend you do – something like Sophos AV which is free) or typically used for IOS devices.
In particular for Cyber Essentials, applications represent a major risk – so pay particular attention to implementing an update process