… and are your phones, tablets, PCs and other office equipment young enough for the manufacturer to still be supporting them?

When performing a security risk assessment for a client, one of the issues I’ve found is that not all their staff devices and office equipment are up-to-date with the latest software.  Although it’s the responsibility of their Managed IT Service Provider to keep everything up-to-date, it’s not a clear contract breach because there are some shared responsibilities between client and provider.  The associated communications, processes and procedures between client and provider need attention to ensure no equipment is missed.

SECURITY RISK: That criminal hackers will gain access to your sensitive data by exploiting a technical vulnerability that has already been discovered and fixed, but not yet installed on your device(s).

PRIORITY: HIGH 

Why is it so important?

Firstly, all IT has bugs, some resulting in security vulnerabilities.

Modern IT hardware and software is incredibly complex, and so never 100% perfect.  Whilst many bugs are just nuisances, others can result in security weaknesses (“vulnerabilities”) that are exploitable by hackers to gain access into a device or system. 

Secondly, IT vendors are continually discovering and fixing security vulnerabilities.

Hardware and software vendors routinely find security vulnerabilities themselves, or through their customers and users, or when they are notified by other vendors or threat researchers. The worst-case scenario is only becoming aware of a security vulnerability after a hacker has already exploited it to successfully breach a company!

Depending on the nature and severity of the vulnerability, vendors may issue an emergency fix (which the industry calls a “patch”), or they may wait to include the patch in the next update of the software.  Many vendors plan regular software updates in the knowledge that every month or every few months they will have a collection of new features, improvements, bug fixes and security patches to distribute in a software update.

Most security vulnerabilities are publicly disclosed and published once a fix has been developed.  This way, every IT administrator in the world can be informed of important vulnerabilities that may affect their systems, and where to get the software update or patch that fixes the problem.

Lastly, criminals are trying to exploit those security vulnerabilities to break in.

While some hackers look to discover “new” vulnerabilities previously undiscovered, this is mostly happening at a nation-state level targeting government, defence, critical infrastructure and big business.  The majority of security breaches resulting from exploiting technical vulnerabilities in IT, have been exploiting vulnerabilities that have already been discovered, publicly disclosed and fixed by the vendor, but not (yet) installed by the breached company’s IT department or provider.

Analogy … if your IT infrastructure was actually a bricks and mortar building, then you’d see the occasional shady looking person or robot walking around, checking for vulnerabilities.

Maybe they spot a window lock made by Acme Locks Inc.  Looking closer, they see it's the WindowLock-3000.  They recall reading a recent bulletin in Locksmiths Weekly that described how someone discovered that the Acme WindowLock-3000 could be unlocked with a metal skewer bent and inserted in a very specific way, plus how to mount a metal plate to block this from being possible.  The criminal takes a photo and a mental note to find out more about the WindowLock-3000.  After doing their research, they confirm that even though this vulnerability is known, the fix for it (i.e. the metal plate) has not been installed.  They follow the instructions to make one of the break-in tools described in the security bulletin, then return to break in.  Following that success, they decide to actively go looking for buildings with the WindowLock-3000 in the coming weeks and months before building owners fix that vulnerability.

This is why it is so important so to ensure your IT systems are kept up-to-date with the latest software. Many data breaches and ransoms result from IT equipment having a vulnerability that has been fixed by the manufacturer, but the fix has not been applied though a patch or a software update.

Why is it important to update office equipment and other devices that don’t even hold sensitive data?

Because these devices are often the first to be cracked into, usually because this kind of office and IT equipment are often the easiest to crack into given many need to be updated manually, and are often overlooked.

Access into these devices gives a criminal hacker a foothold inside your IT infrastructure, from where they can start to crack into other devices and accounts.  One of the most notable cases of this occurring was where criminals stole a Las Vegas casino’s high-roller database by first gaining access into its internal network through a smart thermostat in its tropical aquarium.

RECOMMENDATION: Ensure someone in your organisation, and your IT Provider if you have one, is responsible for ensuring ALL devices and IT equipment is up-to-date with the latest security patches and software updates.

PRIORITY: HIGH.     EFFORT: LOW to MEDIUM.

Summary

Keeping devices up-to-date with the latest patches and software is critical to the security of your IT infrastructure and the sensitive data it holds.  It is one of the highest recommendations in every cybersecurity framework and guideline around the world.  Here in Australia, the Australian Cyber Security Centre designates it as being one of the “Essential Eight”, i.e. one of the eight most important security measures.

In my next article, I give some practical tips for small and medium businesses on the considerations when keeping their devices and equipment up-to-date.

Please reach out if you’d like further background, advice, and/or help.  I also offer a comprehensive cybersecurity risk assessment for small and medium businesses, along with advice and recommendations tailored to the nature of your industry, organisation, customers, and the resources you are able to devote to securing your business.

#cybersecurity #cyber #smallbusiness #SMB