Why Up-To-Date Software Matters

by Moderator Moderator on ‎11-09-2011 03:58 PM (11,692 Views)

If it isn't broke, don't fix it. Unless it's broken and you don't know it yet.


When you're processing payments from your customers, reliability may be your biggest concern—you don't want to lose sales due to downtime after all—but security is equally important. After all, another way to lose sales is to get a reputation for not handling your customer's personal information with the utmost of care.


Perhaps it would be useful to take a close look at what happened to Sony earlier this year:


"Speaking to the House Energy & Commerce Committee, Eugene Spafford, the executive director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), said the problem at Sony was that the PlayStation Network it was using an older version of the Apache Web server software. He said the problem was reported on an open forum.


"Spafford added that Sony employees knew about the problem for two months before it came to light as a result of the data breach.


"Sony detected the hacking attack on April 19. But some data was stolen two to three days before that, from the Sony Entertainment Online network."


This security breach potentially exposed the credit card details and personally identifying information (PII) of 70 million Playstation Network customers and 25 million Sony Online Entertainment customers.


But wait, that impacted an open-source web server package, Apache, that doesn’t automatically update unless the administrator intentionally installs the update. Surely a commercial package like Microsoft’s Internet Information Server would be more secure thanks to automated upgrades, right?


Well… about that.


"One of the most common methods for hackers and worms to gain access to a computer is by exploiting known problems in software for which patches exist. For example, Microsoft released many patches for Internet Information Server (IIS; a web server program) months or even years before the "Code Red" and "NIMDA" worms appeared. Anyone who had downloaded the patches earlier was not affected by either of these worms."


And yet many administrators of Windows web servers failed to install the patch weeks, even months, after the patch had been released, on the grounds that the worm threat hadn’t become critical yet. This approach left their machines vulnerable to attack, and as a result one out of every six IIS installations was infected, incurring costs of $2.6 billion dollars between lost productivity and time spent inspecting and cleaning servers.


The lesson should be clear—today’s amorphous, not-yet-urgent security threats can become tomorrow’s losses. Even if all seems well, security holes can be discovered in even the most robust of server setups, and as the setup ages, the number of security holes can potentially grow. Most operating systems allow for scheduling automated updates, so patches in web servers can be applied with little time investment on your part. But even if you prefer to review each patch to confirm compatibility with your current software, the time investment will pay off when you consider the time and money you would lose if a security exploit is used against your systems. You have a chance to stop security issues from arising—but only if you take the issues seriously now.