Necessity of updates
Category: NachrichtenBy: F. Fiesel - 2B Advice GmbH - the privacy benchmark
Besides the "human factor", securely configured systems are the basic prerequisite for privacy-compliant use of data and services. Regular updates are therefore necessary to avoid security breaches becoming gateways to the corporate network for potential data thieves.
Nevertheless, many security breaches appear as so-called "zero-day exploits". That is, as soon as it appears, the new security breach has already been exploited by criminals and has resulted in damage. In most instances, security updates still do not exist for those security breaches even when they are publicised.
In order to reduce the risk of compromising an IT system through a "zero-day exploit", the affected service should only be partly used pending the release of a security update or deactivated where possible. The manufacturers provide so-called "workarounds" for numerous services and programs pending the release of the security update so that normal business operations can be continued without major complications.
A security breach in the C-directory "libc" recently made it possible for the server (S)FTP((Secure) File Transfer Protocol), which is used by many companies under Linux/UNIX, to be crashed from outside resulting in enormous restrictions being placed on the availability of data belonging to those companies. In this example, only one of the numerous manufacturers or distributors of this service offered a workaround, meaning that the threat of an attack can only be prevented by deactivating the service.
The company's in-house response to a "zero-day exploit" should be covered in the "incident response plan" allowing the affected departments, such as the IT, to react directly. Furthermore, regular updates, which should be installed on test systems in advance so as to avoid problems in productive operation, should be laid down in the "IT security guidelines" at a maximum interval of 30 days (the shorter the better).
100% security in IT systems can never be attained. However, the risks to which companies are exposed can be reduced to a manageable level through regular updates and clearly defined "incident management".
(1098 times viewed)