Brown’s Bytes – Holding Back the Tide
Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
19th May 2017
The WannaCry malware has brought patching back into focus and I thought it would be useful to look at how traditional OS patching often drives behaviour relating to patching in the world of Mobile.
First, let’s start with a few basic facts around the issue:
- All Operating Systems have security weaknesses
- When these are found there needs to a patch to fix it
- Implementing a patch is implementing a change to your environment
- Changes break things in unexpected ways!
Windows has traditionally released each individual fix as an individual patch and then given the Administrator the power to decide which patches are rolled out and when. Patches can even be removed if a problem is found. This has driven a cycle of patch testing and a slow release of tested updates into the environment in a very controlled manner.
However Mobile Operating Systems such and iOS and Android take a different approach:
- Mobile OS updates are Monolithic – they contain a mixture of many security updates, bug fixes and feature enhancements in a single update
- Updates are one way – you can’t go back
- The user decides when to install them (usually very quickly)
- The updates can come at any moment!
This causes a significant headache for Mobile Administrators. I’ve seen in many organisations where they’re still thinking like a Windows Admin and send a message to the users saying something like:
“Please don’t install the update yet as it’s not been tested and may break things”
“Please don’t install the update as it breaks xxx App”.
Put simply, this is trying to apply the traditional patch testing cycle without the controls to do it properly.
It is the same as trying to hold back the tide.
Worse is the hidden issue…
Now imagine there is a Malware targeting the Mobile OS that the update fixes (and they do already exist). That email to the users is now effectively saying “Please leave your device open to attack”. Nobody wants to be the Admin who has had a security incident as a result – the NHS running Windows XP is a prime example.
So, the top tip is simple here.
Implement patches as fast as you can and accept that things may break.
We’ve been banging the drum about Mobile Malware for a long time now. The threat is real and increasing! We can help you with this by implementing our Mobile Threat Defence solutions.
But at a basic level make sure the OS is patched as a minimum!