-3

We have some linux(ubuntu) based VMs running in the cloud in a private network and they do not have external/public IP address. We have some apps running on those servers and everything is working fine. My question is: are there any arguments for doing regular updates on those machines? How about security patches only?

The counter arguments I came up with are:

  • Updates would create some downtime for our service
  • updates can break things
  • time spent updating + testing things still work after update can be spent somewhere else
  • these machines do not have internet access so we need to enable it during the updates which is itself a security risk.

PS: Of course, bastion hosts will be fully secured/patched.

enter image description here

Caner
  • 95

2 Answers2

3

Yes, every VM connected to a network should be updated!

Let's flip your arguments around:

  • security breaches would create some downtime for our service
  • security breaches can break things
  • time spent cleaning up after a security breach can be spent somewhere else

Take a look at some recent security breaches and you'll see that in some cases the attackers spent months inside a network searching for weak links.

Imagine how excited they will be when they find oodles of unpatched VMs on the network, giving them lots of opportunities for exploits.

Only installing security patches is a decent start, but sometimes the best security patch is updating to a new version. Software vendors don't release security patches for old versions forever.

...patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions.

Failure to patch two-month-old bug led to massive Equifax breach

Community
  • 1
Dan Wilson
  • 3,143
2

Updating properly does indeed take a large number of resources. You have to test it, apply it, and deal with any downtime, or issues the update may have caused. For the truly concerned you also need to check/know what issues are fixed and what new issues may be exposed. It can be very tempting to skip updating.

There is one case that I can think of where updating may not be worth it. That is when your updating short-lived worker instances, that are network isolated. A great example of this is an app I worked on. It would need to process images and video. When it was time to process video, it would spawn an instance, with the video file in a location, boot the instance, process, shove the file to another server and then turn off the instance, and delete it. The entire instance was up for maybe an hour a run. We never updated "those instances" and instead would update the image they came from. But even then we didn't update frequently, because the risk just wasn't there.

That said, normally any network (not just internet) connected machine should be updated. This is because any other machine on the network may have been infected. There are a lot of "worms" that do just that. They enter a protected network via a compromised machine then "go to town" because the other networked machines don't have any protections.

Another really good reason is that unless your really lucky (or unlucky) Your not the only key holder. Who knows what dumb, silly, and just plain stupid things the other guy will do. Remember the days of Windows XP. You would boot the machine up and because of this newfangled cable modem thing before you could boot you would get a virus or two. 1 idiot setting the wrong permissions for 30 seconds could totally bork your network.

Always wear your raincoat. The End.

coteyr
  • 2,583