How to solve a problem like security update apathy?

News by Davey Winder

When a high percentage of users have unpatched systems and unpatched programs, as found in a recent Secunia report, can you protect them from themselves?

The Secunia Q3 country report for the UK was published this week and makes for depressing reading. Nearly eight per cent of users have unpatched operating systems, and more than 15 percent have unpatched programs.

Throw in the 5.5 per cent of end-of-life programs with no ongoing support found on your average PC and the problem of security patch apathy starts to become clear.

While those numbers on their own do not sound too alarming, any vulnerable program that is unpatched serves as a gateway to the exploitation of your and other systems by hackers.

Secunia uses an example whereby if 37 percent of PCs running VLC Media Player 2.x, which has a 36 percent market share, are unpatched then 13 percent of all PCs are made vulnerable by that program. Not forgetting, of course, that the same PC will likely have a bunch of other unpatched and vulnerable programs also installed.

Which leaves us wondering why users are so slack when it comes to installing security patches? The report itself has a clue or two. On a typical PC, it states, users have to master 26 different update mechanisms to patch the 75 programs on it in order to remediate vulnerabilities. These comprise a single update mechanism for the 31 Microsoft programs that make up 42 per cent of the programs on the PC, and then 25 different update mechanisms to patch the remaining 44 programs (or 58 per cent) from the non-Microsoft vendors whose products are installed.

We asked Kasper Lindgaard, director of research and security at Secunia, how we have got into this mess both at the application and system level?

“I don't think people are deliberately ignoring security updates,” Lindgaard says. “It's more a combination of lack of awareness and resignation. Lack of awareness, in that the average computer user does not have sufficient understanding of digital security to navigate the space and identify what's more important: re-active antivirus or pro-active vulnerability management? And, once you have figured that one out, how do you choose between the many solutions available that cover different aspects of security? How do they complement each other and how do you figure out what's best?  Resignation, in that maybe all of these activities required of you are just too many, and too complicated, for the average computer user to take onboard."

Lindgaard also reckons that, from the vendor side of the issue, it's also worth pointing out that this is fairly new territory to them.

"The IT industry is still in its infancy in many ways," he told "Every IT company is finding its own way of going to market and communicating to users, and there are no set standards and very little best practice when it comes to something like issuing security updates. Consequently, users have to compute and handle different update mechanisms for all the vendors whose products they use. In the UK in Q3 2015, the 75 applications installed on the average private PC came from a total of 26 different vendors, not all of whom provide clear and actionable update information.”

So what is the real knock-on impact of this on cyber-security? By ignoring security updates, for whatever reason, we risk big impacts upon cyber-security within the organisation.

That's the opinion of Qualys CTO, Wolfgang Kandek, who referred to the Verizon 2015 Data Breach Investigation Report which found that of the 2,122 confirmed data breaches, 99.9 percent of the exploited vulnerabilities were more than a year old.

"By not updating regularly, an organisation's systems are open to attack," Kandek explains. "An individual doesn't need advanced capabilities to attack the system, they can just use well known available vulnerabilities to exploit it."

Many attacks are also coming through vulnerabilities that are just two weeks old, according to Kandek, who went on to add that organisations should be looking to immediately address all vulnerabilities older than a year, followed by those that are two weeks old.

Catalin Cosoi, chief security strategist at Bitdefender, reminds us, "It's a fact that most viruses hack into company servers via outdated operating systems and mobile device apps. Hackers can write code to specifically target a known vulnerability in the outdated software in order to extract personal and confidential data for personal gain. As we've seen, having your system hacked can put you out of business, as a result of a ruined reputation and huge financial losses."

OK, but what if anything can be done to rationalise the plethora of security updates and persuade users to actually install them?

Cosoi insists that prioritisation is the key, telling that "there are a lot of software updates made available every day, but not all of them are critical. To prioritise and decide which updates to install, users and businesses should assess existing software problems and review the associated documentation for each software update to see how those patches help to solve them. It also pays off to scan community forums and get early reports on problems that others might be experiencing when they apply the patches."

Of course, most large enterprises and their IT departments have protocols in place for testing patches before deploying them to the entire network, and a  comprehensive patch management program helps the organisation deal with the prioritisation and scheduling of updates that must be deployed immediately.

Fraser Kyne, principal systems engineer with Bromium, takes more of an engineer's approach to the problem when he says, "Make people write secure code. Make updates easier to apply. Make the whole process invisible for users. Ride a unicorn over a rainbow." Or, to put it another way, find a new way of doing things.

"Our systems need to be more architecturally robust to attack," Kyne insists, adding: "If not, we are simply fighting a war where we are woefully under-equipped compared to our adversary.”

Professor Steven Furnell, senior member of the IEEE and professor of information systems security at the University of Plymouth, reckons we have already seen developers moving towards more regimented patch releases, with only the critical updates appearing out-of-band.

"One key to reducing the plethora will be to go back to source and ensure better development practices," he argues,"which in some cases may track back to the way that skills are taught and whether secure coding receives any emphasis."

That said, persuading users to install them may remain a challenge, and in some cases we can already see important updates being applied without needing user intervention.

This automation of the process ticks boxes with many we spoke to. "The legacy model of security updates is broken," says Criptyque CEO Jonathan Parker-Bray. "Updates should be delivered automatically when decided by the provider. For instance, if a specific protocol becomes obsolete the company could replace it, without the user experience changing on the front end.

“All the user will experience is a minor inconvenience as the app updates which is an acceptable trade for increased security."

Jeremiah Grossman, founder of WhiteHat Security agrees, saying: "Do not give the user a choice. Simply patch for them, and that's that..."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews