Basic Server Security – The Importance Of Updates
Welcome to another article in our series on basic server security. We have covered much of what you need to know so far, but this time it’s the turn of software updates. Software gets updated all the time, some with defined update intervals such as Microsoft’s products with its “patch Tuesday” release schedule, and others releasing patches as soon as they are ready.
What are updates for?
These updates normally come in one of two forms: the addition of a new feature, or a fix for a bug. New features are normally the big draw for users, and updates offering these are normally swiftly adopted. Bug fixes tend to be mostly ignored except by those that have noticed the bug in their use of the software. The bug that has been addressed could be something simple such as a spelling mistake in the software, or something more major that could allow a remote attacker to run their own code on the target computer. Unfortunately, this aspect of human nature is somewhat counter productive as the bug fixes are sometimes more important than the desired new features. To give an idea of how important the updates can be, we’ll look at a few examples from the last year of situations where software updates would have helped:
Equifax
We’ll start with the case of Equifax, who suffered a massive hack in the first half of 2017. As the investigation continued it was discovered that the attack made use of a bug in the Apache Struts framework that Equifax were using on their servers. A software update that fixed the bug had been released 2 months prior to the attack taking place, but it had not been applied to the attacked server.
WannaCry
At a similar time to this hack taking place, there was also a high profile spate of ransomware attacks happening across the world, targeting the Microsoft Windows operating system. The WannaCry ransomware made use of a bug in the implementation of the Windows file sharing system Server Message Block. The bug was found by the NSA and was kept secret until a hacking group revealed it, after which Microsoft swiftly patched it. The patch had been available for 2 months before WannaCry was released, available for any vulnerable systems to have the bug fixed (aside from users with Windows XP which has been end-of-life for three years, and no longer receives updates). The ransomware was ineffective against any systems that had received the software update.
Updates as best defense
As can be seen, some very high profile compromises could have been avoided simply by applying updates when issued by the software creator. There are arguments for delaying the application of updates, as sometimes it is possible for an update to break existing functionality on a system. That said, I can think of very few situations where applying the security updates have caused such issues for me personally. The solution to potentially breaking a production system is to keep a second environment (perhaps a low specification VPS) on which you apply the software updates first, then test to make sure everything works before deploying the software updates on your live system. Even when being cautious, there’s no reason why you can’t test and deploy within a week of an updates release.
The main thing to keep in mind is that fundamentally, if a software update fixes a bug that allows an attacker to gain access to or control of a system, then hackers will swiftly create tools to check for and exploit that bug. The longer your server runs without the updates, the higher the chance that a hacker’s tool is able to take advantage of the weakness of your server. So you should always be keeping on top of getting software updates installed on your server.