It seems pretty obvious that if you keep your software updated you decrease the chances of incurring a security breach. Software updates include Operating Systems (Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, etc.), Adobe Acrobat, Microsoft Office, Internet Explorer, Microsoft SQL Server, etc. . By security breach I am referring to a virus attack, spyware / malware or a theft of data from an external entity to your network.
Microsoft published Version 8 of its Security Intelligence Report (SIR) which is a 250 page report on security.
Wolfgang Kandek the CTO of Qualys, a maker of vulnerability scanning products does a nice job summarizing some of the key points of the Microsoft SIR:
Running updated software decreases the attack surface and increases general robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Statistics on the OS level reveal that the newer versions of Windows are less likely to be infected by malware — Windows XP SP3 is more than five times better than the original Windows XP, and Windows 7 is another three times better than XP SP3 (pg. 85). In addition, 64-bit implementations add another layer of robustness.
Application attacks continue to increase. Adobe Reader attacks were used in 44 percent of the investigated cases, followed by an attack on a recent Internet Explorer vulnerability with 16 percent. The remaining 40 percent are divided by attacks on the OS and a variety of different software packages, including RealPlayer, Apple QuickTime, and AOL software (pg.26).
Attacks against Microsoft Office make use of older vulnerabilities and can easily be avoided by keeping the software suite up to date. By applying the respective service packs, users can avoid the majority of Office file format attacks (pg. 43).
While Windows 7 (and Vista SP2) are clearly much better than the older versions of Windows, there has been an uptake in the infection rate. Attackers are starting to focus their attention on Windows 7 as it become wider deployed and it will be interesting to see how its performance develops.
It is clear to say that Microsoft believes that the more you patch and update your products the less the chances of experiencing a security breach / attack. If you are cynical and say that of course Microsoft wants you to upgrade your products because it make them more money, I won’t argue with you.
A best practice and one that you should do as you are implementing the HIPAA Security Rule is to do a Risk Assessment which includes a vulnerability scan. The vulnerability scan will identify all the holes and vulnerabilities in your current software (Operating System, application software, network equipment, etc.). Once you get the results of the vulnerability scan, you will want to ensure that you apply the appropriate software patches and/or upgrades to eliminate or minimize the risk of the vulnerabilities. Moving forward you will want to adopt a software patching process that applies the latest patches that software vendors release. Microsoft offers a few free ways of keeping your software up to date.
Once again, the more you keep your software updated, the less likely you will experience a security breach / attack.
Related posts:
[...] here: Minimize security risks by keeping software up to date This entry was posted by MurphyMURIEL and posted on May 7, 2010 at 2:21 am and filed under [...]