New year, new patches: A look back and what to expect in the future

new patchesAs to be expected when ringing in a new year, there are predictions galore flooding social media and that includes the cybersecurity space. Predications are more than just possibilities when it comes to landscape we now know as IoT-based on the trends that ushered out 2016.

Although the actual forecast for patches to be released this upcoming Patch Tuesday is looking to be rather uneventful, that just means we should take some extra time to think about what lessons can be learned from last year and start preparing for the year ahead of us.

Recap of threats from 2016

Zero-day: 2016 had its share of zero-day exploits. Of the 9 discovered exploits, 5 came from Microsoft products which were all patched in October. Some of the other culprits in the zero-day area included Adobe Flash Player and Mozilla Firefox.

Although the total number of zero-day exploits has decreased over the last few years, do not let that give you a false sense of security since, by definition, zero-day attacks are dealing with the unknown. Cyber attackers are not going away and their skill level only seems to be getting more sophisticated.

Data breach: According to ITRC in their Data Breach Report for 2016, as of December 13th, 2016, the total number of breaches totaled 980 with a total of 35,233,317 records exposed. The 2 categories that suffered the largest record exposure were Government/Military and Medical/Healthcare. The biggest data breach in history, though, was awarded to Yahoo after announcing 2 different breaches within a span of several months.

Ransomware: According to Barkly blogger Jonathan Crowe, “Attacks are up, ransom demands are up, and with ever new Bitcoin payment deposited, not only is there new incentive for criminals to improve their technology and techniques, there’s new incentive for more criminals to get in on the action.” I am sure this does not come as too big of a surprise but the number 1 vehicle for delivering ransomware in 2016 was email.

Barkly noted that 59% of ransomware infections came from emails with malicious links and malicious attachments. Osterman Research survey indicated that users are more than twice as likely to be infected by clicking something in an email than visiting an infected website directly.

Key takeaways from 2016

  • Frequently patch both OS and software on your devices. Do not forget the 3rd party applications as they are just as susceptible to vulnerabilities as the OS and associated apps.
  • Think before you click! This message needs to be spread throughout your user-base so that everyone is aware of the potential risk links and attachments can be within emails.
  • Make sure to only enter in login credentials and credit card information in web pages using HTTPS. You do not need to make it any easier for cyber attackers to breach your information.

Planning for 2017: Upcoming Patch Tuesday forecast

As of now, there are no known zero days to be aware of. There has also been little chatter on various website sites to indicate a busy Patch Tuesday for the first one of 2017. However, based on the trends we saw in 2016, there are some safe assumptions we can make as to what the January 2017 Patch Tuesday will likely include.

We will likely see a few installable packages from Microsoft. With the new servicing model there will be a single installable package containing updates for OS and IE. There will probably be an update for Office as well based on how consistent patches were released monthly during 2016.

Adobe typically releases Flash Player on Patch Tuesday so that update is expected. There will likely be an update as well for both Adobe Reader and Acrobat especially since an update has not been released since last October and one has consistently been released every 2-3 months.

There is a 50/50 on Chrome releasing an update as well since a beta version was released after the last Patch Tuesday of 2016. It’s a new year so take this opportunity to be aware of your security practices in place and if you do not have any or have not been diligent in the past, make security a new year resolution.