Update Insecurity

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

TTLNow

Member
Oct 6, 2020
6
3
A persistent thread mentioned throughout the years on Security Now is exploitation of vulnerabilities caused by lack of installing updates that address known flaws. Has anyone heard of any SAS solution to address this? A security company who you register with to list all your systems/versions could then act as an aggregator or clearinghouse, to provide you with real time updates or more simply real time notifications, respectively. I had seen some products over the years that sort of did some of this, but not anything comprehensive that might provide this as a simple and economic solution. If such a product is/were available insurance companies could force companies to prove they are following best practices by using it and keeping up to date – or else be able to deny insurance claims (as in ransomware insurance).
 
any SAS solution to address this
There used to be a free one from Secunia called PSI, but for some reason they took it off the market. I don't know if there are other trustworthy products in the same product range that are free, but there are non-free tools I'm sure.
 
Thanks for response - I was looking for something more applicable to corporate environments with multi server and multi application (incliding multi versions of those apps) environments. In such environments we have tons of admins and this type of monitoring would really be useful so we don't have to count on each of the admins being on top of the updates - you know the weakest link idea. We have real time tools monitoring the users, but rapid patch assessment and implementaion is always challenging in large complex environments.
 
PSI had an expensive big brother called CSI which now appears to have become this: Software Vulnerability Management | Flexera
It seems Flexera bought our Danish friends up and kept the pay version of the software and dumped the nice PSI.

There are two ways to skin a cat, however; it seems getting software into your company is too easy and lacks centralised ownership and policies. An inventory of assets would help avoid this problem with reduced ownership and more active patch management being key. Remember, patching breaks things (anyone heard of Windows 10? :D) and so you need a process to manage this.

The tooling just squeezes the balloon in my opinion. You will never have the balloon within your hand and therefore never manage the problem.
 
One that I use A LOT is called "Patchmypc" Home Updater: Overview and Download | Patch My PC it's free! While its list of supported apps does not include EVERY app it does include a LARGE list of the COMMON apps you'll find on someone's computer. For an app to be on the list, it must not contain adware upon installation and it must support silent installs.

You open the app, click update and it will go through one by one and install the latest version. It's a godsend when doing remote support.

What's also nice is you can install an application simply by putting a checkmark in the box next to the app you wish to install on the left.

Here is a screenshot.

1608743652709.png
 
  • Like
Reactions: Pennybags
I think you will find that 99.9% of ransomware gets installed by end users doing something dumb.
No no no. If a 3 year old child burns the house down, its not the child's fault. The fault is with the person that let the child play with matches. If clicking a link in an email message can result in ransomware, the fault is with the techies that setup the computing environment not the person who has a job to do that has nothing to do with IT.
 
  • Dislike
Reactions: PHXdNelson
Sorry @MichaelRSorg I will disagree with you. Three year olds are not operating computers, and at this point in time there are plenty of people who know they shouldn't do whatever it is they just did that compromised them. By saying they share no blame in their own misfortune you are encouraging them to continue to mis-operate their computers. If they need to have that bad experience before they learn about safety, backups, etc, then that is just the way it is. You don't fail to blame people for the car accidents they cause, and you should feel the same way about their computer accidents.