The cyber attack affecting a large part of the UK NHS (and also more globally) has been widely reported over the weekend. As usual, I find myself screaming at the TV, due to the misdirection being put forward by the media as to the causes and solution to the problem. This morning I read an article on ZDNet suggesting we should stop disabling automatic updates. You can find the article here. After reading such nonsense, I feel compelled to put pen to paper and have a good old-fashioned rant at the way the IT industry is managing itself.
Auto Updates are Bad
OK, for me, definitely. As an IT professional, I don’t need to be directed by Microsoft, IBM or any other operating system or software vendor on how I should update my systems. I have a few simple principles that I follow:
- Upgrade progressively. Roll out updates and patches to less critical systems in order to assess their impact. Things go wrong when patches are applied. Vendors don’t validate all software changes across every type of system and you will be caught out.
- Upgrade for security as soon as practically possible. Critical updates should be pushed out as soon as practical. Don’t wait to update for zero-day and similar exploits.
- Upgrade features where needed. Only take feature upgrades when they are useful or needed. Don’t blindly upgrade otherwise you may find critical features have disappeared.
- Perform regular roll-up patching. On a periodic basis, plan to catch up with patches. This reduces the time to do the next set of patches and allows time for patches to have been tested in the wild and catch patch code issues.
- Test. Make sure patches don’t have adverse effects by applying to test environments. Have a backout plan….
Obviously having many systems to manage means patching can be onerous, but that doesn’t mean it should be set to automatic mode.
Auto Updates are Good
Now here’s where we start to hit a grey area. Auto updates are definitely bad for server-based installations and certainly not appropriate for storage systems and other hardware infrastructure devices. But the Press continues to conflate consumer and enterprise advice, assuming that what we do on our phones, tablets and laptop/desktops should equally apply to enterprise environments. For most home users, auto updates are probably a good thing. The majority of consumers neither understand or care about effective patch management. They simply want safe and easy to use devices. The price of the occasional patch issue on one device is far outweighed by the benefits of having a fully patched system. However, corporate desktops and laptops are not consumer devices and we shouldn’t treat them the same way.
One area that does annoy me in terms of advice was given out by the UK’s Security Minister this morning. He advocated always accepting updates to applications running on our mobiles (as well as desktops). However the majority of these updates are bug fixes and “enhancements” that may not be relevant. This brings me to industry responsibility.
Blame Microsoft, Blame Developers
The industry itself has to shoulder a significant amount of blame for the position we find ourselves. Look at the following screenshot from a test desktop environment I have running. There are dozens of outstanding patches, all pointing to knowledge base articles that take significant time to read. The Security updates are relatively easy to identify, whereas the rest are just classified as “updates”. They could be bugs or new features – without checking each one, I have no idea what they fix. There are no specific standards relating to how patches are classified. I’d like to see some standards around how we identify the importance of each patch, so we can quickly determine which should be pushed immediately, or others that can wait. The ability to install by category should be consistent – and we should be able to use the same policies and definitions across all operating systems.
We should also point the finger of shame at developers. Have you ever looked at the description of an app update to see “This update includes a few bug fixes and performance improvements”. So, Mr/Ms Developer, did you slip in any additional features or changes? What’s the version release? Again, Microsoft are one of the worst offenders here. Look at this image from Skype – how exactly did Skype get better with this version upgrade? What changed? Can’t you even tell me what version I’m upgrading to/from?
The majority of consumers won’t want to check out the details of what an upgrade does, but smartphone apps are increasingly being used for business and therefore more critical for business users on a daily basis. We can’t afford lazy developers who can’t be bothered with documentation.
The Architect’s View®
We need an improved level of detail from our vendors to get patching right. This needs to be a cross-industry initiative, not just something from a single vendor.
People have said that the NHS doesn’t have sufficient resources to manage their IT systems. It’s more likely that patch management is too much of an overhead. Simplification by the vendor is critical. However let’s not confuse our iPhone use with enterprise computing. They’re not the same thing – after all would you be happy if your bank experimented daily with changes to their banking app and the contents of your current account? Probably not!
- NHS ‘must learn’ from cyber-attack and upgrade software (BBC News, retrieved 15 May 2017)
Copyright (c) 2009-2022 – Brookend Ltd, first published on https://www.architecting.it/blog, do not reproduce without permission. Post #e469.