Thursday, 19 January 2012

The Patch Question

Security is hugely important and huge business. Recently there have been some high profile security breaches and presumably a lot of instances of unauthorised access that have not been made public. The implications for businesses and their customers can be devastating.

Some companies never recover from a disaster, especially those with no or even a poor disaster recovery policy / procedure / plan. And whilst the cause of disaster is often out of their control, the recovery side is. However when a security breach occurs it is often the reverse that is true.

Sony is one company who has suffered a major breach in security in the last 12 months. The full and complete extent of which I believe is still not in the public domain (feel free to correct me in the comments... with a link to the source of course ;) ). The recovery from this is a very difficult task. Sony's plan has been to try to build confidence back in the existing users as well as compensation (users were offered a choice of games from a small selection offered). But really proving they have learn't the tough lessons, no further breaches and the passing of time is the thing Sony has to rely on.

Now I'm not sure where the security hole was or what piece of software was at fault particularly (again please feel free to provide the details in the comments) but during the period of downtime of Sony's PlayStation Network, several individuals were about to sniff out versions of software that were running on Sony servers (such as Apache, PHP, MySQL etc). Many if not all were out of date with well known vulnerabilities. This is the part that is in everyone's control.

I used to be of the opinion that when a software vendor released a patch or update of some sort, I would leave it to other people to test and find any issues to save me having to roll back. This used to be particularly true of Microsoft patches which seemed to either fix an issue but introduce another or not even fix the issue it was supposed to. However, through confidence built by Microsoft, I generally update within a day or two of release. This too can be said of apps on my Android based devices. I have no qualms about hitting update all when notified of updates. Those apps which have changed their permission requirements get a quick glance at the changes and then 9 times out 10 also get the update granted. As a PlayStation Network user I have no choice but to update if I want to continue playing games online and have access to the Store.

And with Open Source server software I am more likely to update pretty quickly. The reason for this is that vulnerabilities are so well known about these days. Thanks to the way and speed of news spreading on the Internet, you leave yourself at huge risk. Of course more and more software is becoming self-updating, Chrome being one of the most popular to do this.

What do you guys do with regards to updates? Are you more gun-ho like me or are you the step back and let someone else try it first type? Do you apply a different policy to your work computer to say someone elses or a if you look after a system in your work?

No comments: