CODE EOL REVIEW
Code End Of Life (EOL) is often not factored in during purchases. Updating software and firmware is an essential part of most compliance standards and makes good security policy sense anyway.
Cyber Essentials requires that software:
- be patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’.
- be licensed and supported
- be removed from devices when no longer supported
There are many solutions to handle this such a Microsoft SCOM but these are usually expensive to buy and operate with the need to run several at a time from the various manufacturers of the different parts of your ICT.
The issue in recent years has been, and continues to be, the frequency of updates across the board especially in Operating Systems and applications since the move to coding based on Agile methods. For example Microsoft Windows 10 and related base programmes:
- These still follow the ”Patch Tuesday” concept except for the major release every 6 months. In general Microsoft do tend to keep features updates to major release but in the last few years there have also been soem emergency out of band updates.
- Windows Store apps update usually have a few update every week
- Microsoft Apps for IOS and Android devices are also updated frequently and not necessarily to the same level of functionality in the different OS environments
A good patching process requires:
- Knowing what software and version users have installed. This is likely to involve stopping users from installing un-approved software.
- Setting up a monitoring and assessment process for all the supported code to keep on top of updates
- Try to build one base machine with all code installed and then lock down which areas and applications a user can access
- A proper test kit setup as some updates can be huge and require full testing for functionality and the update process
- Double check all services, ports, and authentications following an update to ensure no new issues or lockdowns that might have been reset
- Ideally a regular penetration test - required for Cyber Essentials Plus
- Hardware details of all the devices supported. In particular:
- BIOS version and settings with a focus on lockdown options
- TPM settings for security
- Firmware controllers like network cards and disc IO
- Keep patching of the following to a separate cycle:
- Core operating system
- Device drivers
- Local Applications
- Cloud applications
A core issue is users who go for cheaper low end devices and these often drop of support quickly or are just not updated. For example many Android devices do not get updated for new versions of the Operating Systems or significant patches. Even the bigger players like Samsung who can take months to push out an update that Google releases for it devices. The 2017 KRACK WIFI vulnerability is not being patched on older Android OS and thus the devices are not secure and must no longer be used to stay compliant. That said most suppliers now have planned support cycles like Apple.
It’s not just enough to know the basic model of device but to examine the fine detail of configuration which is why may users pick a good model of device that will be supported and updated for at least 3 years and handle any planned usage.
- Where manufactures don’t provide good Release Notes review your test plans for interoperability and test these in more detail
- Don’t forget to check firmware in
- Routers and Switches
- IoT devices like IP cameras
- Keep track of all third party intermediate products:
- Content delivery - WordPress and its plugins, Moodle, Drupal
- Run time enviroments - Java, Node.js, .Net, PHP, Perl, Bootstrap
- Script environments - Powershell, Python
- Coding - VStudio, Eclipse, Netbeans, Xcode
- Always have a rollback plan which can mean a full backup before any large update
- Plan to replace kit every 3-5 years
- Plan to update all supported applications even if the update doesn’t seem to do anything for you functionally. This is why many users and suppliers use a subscription model.
- Avoid code written by less well know suppliers and those who might disappear overnight
- Think carefully about BYOD and the costs of securing your key apps and data on such devices versus supplying your own devices