Updates are a funny thing, we all know that updates are released for our systems to fix bugs, security issues or add improvements to the functionality. Basically, it makes updates like vaccinations, right? Vaccinations inoculate us from getting bugs or at least minimising the effect they have on us and that is really what updates are about. So why don't people do more updates?
We are told time and time again that we need to get the basics right in order to ensure that our corporate systems are as secure as they can be, but it just doesn't happen. Look let's be completely clear here, most attacks that are still physical attacks on systems (not counting social engineering attacks) are problems and vulnerability's that have been around for quite some time and already have patches released that basically make your systems immune to the attack or specific threat.
Honestly there is millions of vulnerability’s out there that could be used to crush your network in minutes, absolute wipe out and it would be too late for your teams to do anything to stop it but if you had just taken the blue pill (matrix reference – I am a bit of a fan) and vaccinated your system none of it would have happened.
When it comes to security everyone wants to throw money at all of the new blah blah blah with all of the blinky lights that supposedly is better than all of the previous 50 versions of the same thing with a new name and pretty GUI for you to look at. Yes, disclaimer here some of the blinky lights stuff that all of the vendors want to sell you are getting better but throwing stupid amounts of money at the biggest and best security solution that is being touted as the saviour of all our security concerns will do probably two things in most cases – lower the bank balance and probably disappoint you when it really needs to do what it broadcasts to the world that it can do.
It is honestly a sad truth but if you haven’t actually spent time working on your security basics like asset management, system updates, passwords policy and system hardening just to name a few things, you will fail no matter how much money you have spent on these new fancy toys. Honestly, if you can truly ensure that you get the small and boring stuff right you will probably have a stronger more resilient system than someone who has skipped all of the prep work and just moved straight to the flashy lights. I am being completely serious here, all the money in the world won’t save you from being lazy and ignoring what you should have done in the first place.
I know some of you will whine and complain about the fact that you have legacy systems that can't be updated for some reason or another but that is a cop-out. If the systems can't be updated find a better solution or isolate it so that nothing but the bare minimum required can even know it exists. I think that if you truly want to work out how to get your systems up to date then you can do it. Yeah, it is not going to be easy and it may cost some money to get this done right but you will be much better off for it that I can promise you.
So, if you don't have an excuse for not doing updates and they will basically make you the most secured you could be, without throwing a ridiculous amount of money at the problem, then why do some many companies fail monstrously at keeping systems updated. You can automate most of the process with asset management systems so that once it is set up correctly you will barely even need to do anything to keep them continuously updated.
Do yourself and your organisations a favour stop and plan what you need to get done to get all the boring foundational security stuff sorted then by all means throw some money at some awesome new blinky lights to improve on that foundational work you just got through getting right. Look I love playing with the new toys too and seeing what can be done to put them through their paces but they can’t replace true security foundation work if you remember that you will be ready for that next wave of attack and with a bit of luck and your hard work will have all been worth it.