SOFTWARE UPDATE
STOP LINGERING Software updates hold the key to cyber security
By John Szczygiel
Security threats are on the rise and as IT security teams increase their scrutiny of all network-connected devices, it’s time for some new thinking about the design and
maintenance of building security systems.
Building security systems are inherently part of the Internet of Things (IoT), however they tend to be woefully neglected network devices. This point was underscored in a recent Distributed Denial of Service (DDOS) attack, which enlisted IoT and security devices into a robot army directed at the Internet services provider DYN. Many of these devices had fundamental design flaws or default passwords that made them
easy targets.
Fixing the Flaws
Today, many building security systems contain embarrassing rudimentary cyber-security flaws. Many remain on the same software and firmware versions for years at a time—even when critical patches are available. Too frequently, companies adopt the practice of deferring software maintenance until the system breaks or a new feature is needed. Quite often, building security systems are running obsolete operating systems along with out- dated application software and device firmware with known ex- ploits. For example, some of the devices used in the DYN attack were running firmware that was years old with known vulner- abilities that had long ago been patched by the manufacturers.
Security systems installers are complicit in sustaining these con- ditions by failing to offer pro-active maintenance plans or properly advising customers of the need for regular system patching.
Security system manufacturers often compound the problem by making updates expensive or time consuming to obtain and apply. And yet, our building security systems are becoming more connected via the network and Internet. While things on the In- ternet are changing by the second, building security systems may be stuck in the past. These factors make building security systems prime targets for miscreants astonished at the luck of finding a
highly interesting plaything with such obvious flaws.
But in many cases this is not a technical problem; it’s mostly a focus and financial issue. It’s the same dynamic that causes gov- ernments to require annual vehicle inspections or health plans to require periodic physicals or Apple to give you so many annoying
prompts to upgrade your iPhone.
Most people just don’t have the time, money or inclination to pay attention to maintenance. Unless we are compelled to do it, there is always a reason to avoid doing it. So there is the answer— we must be compelled to do it.
This position is validated by information published in Cisco’s Mid-Year Security Report 2016. This report details the major dif- ferences between the strong auto-update policies of the Google Chrome web browser and the weaker update policies associated with Microsoft Office. The strong Chrome “opt-out” update pol- icy drives around an 80 percent compliance with updates. Mean- while Cisco’s statistics show that most users of Microsoft Office users stay for very a long time on their installed version, even when updates are available.
“Many large vendors are holding up their end of the security bargain by releasing notifications, ?fixes, and distributions of vul- nerability patches in a timely manner. But this attention to patch- ing is not reflected in end users—and, as a result, they are com- promising the safety of themselves and their businesses.”—Cisco Mid-Year Security Report 2016
These facts point to the reality that security is strengthened through a process of evolution and also that many of us need a stimulus to evolve. To support this end we need an updated ap- proach to building security system maintenance.
The Value of Convenience
As consumers, we value convenience, cost and functionality per- haps at the peril of cyber security, at least until there is an inci- dent involving one of our services or devices. At that point, we will turn to the provider or installer of the device and accuse them of malfeasance in the provision and support of “their” system.
The provider can certainly be blamed for failing to implement good security hygiene in the design of the device. The installer is accountable for leaving default passwords and open ports con- figured. But who is accountable for failing to provide continuous monitoring, vulnerability assessments and maintaining patch lev- els for building security systems?
As Shakespeare wrote, “the fault my dear Brutus lies not with- in the stars, but within ourselves.”
How can the manufacturer be responsible for vulnerabilities discovered in underlying components long after the device is pur- chased? How can the installer be accountable for keeping systems patched and up to date when the customer chooses not to pay for routine maintenance? How can the customer be blamed for not wanting to upgrade with a working system and risk some type of
NS12
0217 | NETWORKING SECURITY