In May 2017, WannaCry ransomware rapidly proliferated around the Internet, despite availability of a patch released by Microsoft in March. This is simply one of the most recent and notable attacks exploiting known flaws—there is a constant barrage of attacks, large and small. Although cyber security is more complicated than a simple failure to patch end systems, analysis of cyber security incidents has consistently shown that a failure to apply patches is one of the leading enablers of successful attacks.
We have reached a point in the evolution of cyber security where handsoff, behind-the-scenes cyber defense should be the norm. Clearly, the best solution would be to deploy less-vulnerable systems. This is a topic that has received great attention for approximately five decades, but developers continue to resist using tools and techniques that have been shown to be effective, such as code minimization, employing formal development methods, and using type-safe languages. Additionally, consumers are widely believed to be reluctant to accept the software limitations and increased costs that result from some of these more secure development practices. Those issues, coupled with the vast amount of legacy code in place and being reused, have meant that better security is often, at best, an "add-on" rather than "built-in" function. Patching and configuration changes will be required indefinitely to keep the current infrastructure at least moderately secure.
I just apply the software patches from the vendor as soon as I see they have arrived, trust my software vendor, and sleep well at night. This has worked well for me for over 30 years, so far, so good I have never had any software security issues with my vendor. If this process stopped working I would change my software vendor. I have no desire, or time, to analyze the details of software security patches. This would mean digging deeply into the operating system software, which I will not do, even if I could learn to do this. In principle I could do this, maybe. But in practice, for me Life is too short for such deep system software analysis activities. Most times you just have to trust somebody else to do a good job, otherwise your life will be miserable.
Displaying 1 comment