There’s an event referred to as spring cleaning, where we take some time from our regular routines to focus on bringing order back to our homes. We remove the junk that has accumulated, and clean and organize the remaining items so they look good again. This is an event we should implement in our IT routines, because it is critical to maintaining order.
The Center for Internet Security (CIS) controls provide a solid basis on which to organize any security program.The two basic controls to start with are inventory and control of hardware and software assets.
As part of our spring cleaning, we should remove any extra systems we have accumulated, reducing the number of systems we must secure and our exposure to attack. Discovery tools are critical to finding forgotten and no longer used systems. But how does this happen? As some examples, in the course of your support staff attempting to reproduce a customer bug, or the development team creating test configurations, virtual machines are created, used, and unfortunately, left behind. These systems are often left up and running as these organizations move on with their daily jobs. I’ve worked with many companies who are amazed when these systems are ‘re-discovered’.
Once you have control over your hardware and software assets, you should take a look at reviewing and updating several other aspects of your security program. Coming back to the CIS controls, re-evaluate your patch management program to ensure you are prioritizing and applying updates to systems at highest risk of exploitation.
Consider how you are limiting elevated and administrative privileges on your systems and also how you are leveraging and optimizing the built-in security options that come with the hardware and software you already own. There’s always more to consider when cleaning up – active defenses, data backup, disaster recovery, and so forth, but if we start with some basic spring cleaning, we’ve gone a long way toward providing an efficient and secure working environment.
Microsoft was back on track in April, releasing a much larger number of CVE fixes for their operating systems than in the previous months. We’ll see if that trend continues this month. Our grace period with Microsoft is over because the final security updates for Windows 10 1803 and 1809, which were extended due to the pandemic, as well as Windows Server 1909, occur with the May release. You should have a plan in place to update to a newer version of these operating systems.
My prediction last month that we may see a slowdown in service stack updates (SSUs) was way off because Microsoft released updates for all versions of Server 2012, Window 10 Server, and Windows 10 Desktop still under support. Maybe we will get a break this month.
May 2021 Patch Tuesday forecast
- The final updates for three Windows 10 operating systems are coming this month. As usual, we will see the Windows 10 cumulative updates, security-only and monthly updates for the actively supported operating systems, and, of course, the Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2. I expect an update for Internet Explorer since they skipped last month.
- Sharepoint Server and Microsoft Office will get its usual set of updates. It has been a while since we’ve seen a SQL server update, so one may be released.
- Adobe has a pre-announcement for APSB21-29 for Adobe Acrobat and Reader, so be prepared for that update.
- Apple has released security updates iCloud 12.3, macOS Big Sur 11.3.1 and Safari 14.1 over the past two weeks. Other than a possible iTunes update, I don’t expect any activity from Apple.
- Google released security update 90.0.4430.93 on April 26 which addressed the zero day for CVE-2021-21224 and several CVEs. There may be an update coming as Google did release another update to the beta channel.
- Mozilla released security updates Firefox 88.0.1, Firefox ESR 78.10.1, and Thunderbird 78.10.1 this week — as such, I don’t predict anything new next week.
Good luck with your spring cleaning! It will provide the ‘peace of mind’ you are organized and ready for the rest of the year.