A: Although I can’t speak specifically as to why your IT support doesn’t want you to run updates, I can give reasons why MintzIT restricts clients from doing so. Spoiler alert… It’s not because we are power-mad admins trying to keep the end-user under our boot!
Having an authorized, qualified IT technician or consultant be the only one who runs updates, installs applications, and performs maintenance on your computer and other IT equipment is so important, it is actually a requirement of the NIST 800-171 (the gold-standard checklist for cybersecurity practices), and HIPAA and SEC covered entities. In point of fact, all of these best-practices prohibit the end-user from even knowing an administrative password!
- Best practices include everyone – even admins – to log in with a non-admin account.
- The primary reason is that both malware and hackers take on the power of the currently logged in user. If the user is logged in with an administrator account, the malware or hacker can assume full control over the computer. If the user is logged in with a non-admin account, the malware or hacker is usually limited to controlling the user data.
- Another issue with knowing the admin password is that it is almost impossible to know when malware or a hacker are attempting to take over a computer. The best and most common example is when visiting a website and an alert pops up stating your Adobe Flash is out of date – click here to download. It is almost guaranteed this is malware and not the real Flash. But how does an end-user know?
- Most cybersecurity experts go further with mandating all non-admin users log in with Parental Control (macOS) or Child (Windows) accounts. The reasoning behind this is that even the very best antivirus software can only catch 99.9% of known malware. It is estimated there are up to 40,000,000 malware variants in the wild, leaving up to 40,000 known malware that won’t be caught. This number doesn’t include unknown malware, which is almost certain to get through to your system. Some malware has been in the wild for up to 9 years before being found! With a Parental Control or Child account, it is possible to implement Application Whitelisting. This specifies which applications are permitted to launch, anything not on the list cannot launch. Malware, known or unknown would not be on the list, and therefore presents no security issue – unless the user has access to the administrator password to bypass the Whitelist.
- Most security settings on a computer cannot be modified by any other than an administrator account. Every day I see users who know the administrator password bypassing or removing these settings–usually because they see no reason for having them. What they don’t know is that with a click of a button and entering an administrator password, they have taken their computer from fully hardened to fully vulnerable.
- Even in the case of installing updates, there are issues of stability, compatibility, and security that must be researched prior to performing the update. When a user blindly updates something, they run very real risks. It is assumed that their IT professional will be aware of current risk parameters and know how to work around or with them.
So the bottom line is that your IT support is probably trying to keep your computer running smoothly and securely (if you are talking about your own personal computer), or is trying to follow Federal cybersecurity guidelines or legal requirements (if you are talking about a company computer).
If you simply can’t resist clicking that Install Now button, it wouldn’t hurt to call your IT professional first.
