By John B. Folkerts, CISSP, Information Security Manager, Canandaigua National Bank & Trust

You’ve purchased your new personal computer, connected to your home network. What happens next? Microsoft (or Apple depending on your preference) begins a seemingly never-ending process of “updating.” Sometimes comforting and sometimes annoying, our computers seem to want to update all of the time, requiring reboots, delays, and sometimes breaking things. Why all the fuss about updates?

Back in the Internet stone age (about 20 years ago), software came as a single product. You installed it and it never changed. When you wanted a new version, you went to the store and purchased the new one. No one worried about updates.

But security challenges were mounting. Various security-interested people (from “good guy” technophiles to “black hat” hackers) were in a continual search for security bugs in software. These were the cause of numerous intrusions, data heists, and identity thefts over the years. Software vendors realized that they needed to quickly fix any security problems, or they would soon be out of business.

The normal process goes like this:

1. Someone notices a security problem (“vulnerability”), either an internal company developer, or an outside party.
2. The software vendor creates an update to fix the security problem.
3. Security updates are made public so that ordinary people can apply the fixes.
4. Once the updates are public, other researchers and hackers may try to figure out ways to take advantage (“exploit”) the problem. They often publish their exploit tools for anyone to use.
5. Users on the Internet update their software, after which they are safe from attacks against this particular security problem.

The time between Steps 3 and 5 is what is called the “Window of Vulnerability.” That is the period of time that your system is vulnerable to any given attack, and naturally we would like that window of time to be small.

How long is that window of vulnerability normally? Not very long, and shortening all the time. For example, a serious vulnerability a few years ago was released to the public. Because it was released during the holidays, many of the people responsible for applying the fixes delayed their updates. 24 days later, attacks on the Internet began (presumably the bad guys used Christmas break to work on their attack code). That is an example of an ordinary window of vulnerability.

Your window of vulnerability could be a lot shorter. In the worst case, the attackers have figured out how to exploit the problem before the software vendor has provided a patch. But whether it takes 1 day or 24 days, the main takeaway is clear: close the window of vulnerability by applying your security updates as soon as possible!

How do you keep your Window of Vulnerability short? Here are some tips:

1. If offered the chance to update your software – take it!
2. When prompted to reboot – do it! (fixes are not effective until a reboot occurs)
3. If you have the option – turn on automatic updates.
4. Check your software versions – you may need to apply updates manually.
5. If your software vendor is no longer providing security updates, it’s time to find a new software package that does get updates.

Many people do not realize the speed at which security problems can escalate on the Internet and the amount of effort that is being put into exploiting security software. Make sure that you are keeping up with software changes as they happen. In doing so you will close your window of vulnerability to the most significant cyber risks online.