Auto-Update Leads to Auto-Hack
Posted on 03/29/2019 at 11:23 AM by John Lande
News broke recently that hackers exploited a backdoor to as many as 1 million ASUS computers by compromising the ASUS automatic update system. Hackers planted the malware in the system that pushes out software updates to ASUS computers. Automatic updates, by necessity, have access that bypasses a computer’s security system in order to install the software patches.
These updates frequently patch security flaws. This blog has previously discussed the importance of timely and routinely installing patches, because doing so mitigates one of the greatest sources of cyber-risk. Equifax’s failure to implement a patch led to one of the largest data breaches ever reported.
The hackers’ exploitation of ASUS’s automatic update platform is particularly insidious because so many organizations make routine implementation of security updates a core part of their cybersecurity plan. Reports are that hackers in this case were likely only interested in a few particular machines, but it is not difficult to imagine hackers turning their attention to a broader target list.
This incident demonstrates there is no silver bullet in cybersecurity preparedness. Organizations cannot rely on automatic software updates to prevent every cybersecurity incident. In addition to hardware and software solutions, organizations need to implement controls and processes to reduce the risk of a cybersecurity event. These controls can include segregating duties within the organization, limiting access to sensitive information, and training employees on what to do when an intrusion has been detected.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.