GCHQ & NCSC Security Update Advice

GCHQ & NCSC Security Update Advice

I tend to agree with everything the Government Communications Headquarters (GCHQ) and National Cycber Security Centre (NCSC) published for advising businesses, enterprise, Government and residential cyber security.

A few of the key NCSC directors, experts and leaders issued advice during the NCSC CYBERUK21 virtual conference I do not agree with or view as a simplistic approach advising enabling automatic security updates.

Enabling automatic updates of any kind tends to lead to loss of operation continuity.

Update policy improvements should be deployed by businesses, enterprises, Government departments, etc.

Dr Ian Levy, NCSC Technical Director:

"Patching is now so much easier and so much less risky than it was when we first started doing this stuff. If there's one thing that anyone out there wants to take away, turn on automatic updates, please – even if you're an enterprise, turn on automatic updates."
"The sort of things we've seen over the last six to nine months like the big vulnerabilities and the big incidents, a lot of them come down to people not patching properly. And I know it's really boring but it is really important."
"People were taking weeks and weeks to patch, even though there was all the noise in the news, even though we were individually contacting them to say 'hey, you've got a vulnerable Exchange server, please patch',"
"Think about how people select victims – look across your external-facing stuff and you can see exactly what they can see. As soon as RDP pops up, run back home and turn it off because it shouldn't be connected to the internet anymore."
"That's not okay, that's not been patched; we know that's one of the favourite ways of various threat groups to get in – external-facing unpatched vulnerabilities, you kind of deserve what you get if you're on that space these days!"

Paul Chichester, NCSC Director of Operations:

"This can be done, there are organisations, companies, sectors that do this effectively. This isn't a technical problem anymore, it's an investment problem, it's a skills problem, it's making sure you use the right capabilities in the right way and make the right investment choices."
"This is not something that's impossible to fix. Even the highest-end nation state, you can defend against those capabilities and the technology and capability is out there."

Lindy Cameron, NCSC CEO:

"My sense is the benefit of having SolarWinds as a shorthand for a much wider set of activity is there is a bit more conversation in the boardroom; there's been a lot of coverage on this incident."
"My hope is CEOs are asking questions of their CISO and actually demanding to know there's a system in place to make sure they can patch on a regular basis."

The advice is for everyone:

  1. End user
  2. System administrator
  3. Service provider

The advice should affect businesses, enterprises, Government departments and residential/personal computers, services, etc.

I agree, something needs to improve following the lack of security patching of Microsoft Exchange 2019 on-premises servers. NCSC saying automatically enabling security patches is not the right solution for non-residential computers.

MaX's Patch Policies

Enabling automatic security updates is not my chosen solution.

Running an updates server in the cloud is my chosen route along with a synchronised cache or update server on my CAN/LAN/MAN.

MaX prefers to build update procedures:

  1. Security updates roll-out the next working day after successful short-duration testing
  2. Feature updates roll-out five to 10 working days after successful medium-duration testing
  3. Large updates roll-out 10 to 20 working days after successful medium-to-long-duration testing

This is mostly for medium to large businesses and massive enterprises along with Government departments and organisations.

I would love for NCSC to be our national patch-check organisation but enterprises will need to do a lot more for their individual use with billions of pieces of software used across the United Kingdom.
Educational institutions would be better supported by a group such as Jisc who already has a cyber security division rather than going it alone.