About software

If hardware is the computer’s physical components, software is the set of instructions or programs that ‘run’ on a computer.

System software is what is used to manage a computer, an example being the operating system which might be MacOS, WindowsOS or AndroidOS. If a device does not have operating system installed, when switched on, the screen will be blank. System software allows users and hardware to interact with each other.

Application software is any programme that enables the user to complete tasks. Every programme that you use on your device is application software. Examples are Microsoft Word, Excel, internet browsers such as Google Chrome and Apple Safari, and video games. If a device did not have any application software installed, you wouldn’t be able to use it for anything other than pre-installed features which come together with an operating system.
Software can be copied from a CD or DVD or downloaded from the internet onto a computer’s hard drive/USB drive.
Software as a Service (SaaS) is application software that is hosted by a cloud service provider eg Microsoft 365 or Dropbox. The software is not downloaded onto the user organisation’s IT infrastructure, but accessed remotely from any device and any location. (See guidance, applying the five controls to cloud services.)

Firmware is a term for a piece of software that is stored on a hardware device (eg a router), in order to make it run properly.

Virtualisation software – A hypervisor is a piece of software that is installed over the hardware of a server to run and manage virtual machines on that server. (See guidance, About virtualisation.)

Patching

Software is made up of thousands of lines of code which is how the computer interprets information to complete its functions. In every 1000 lines of code there is on average 10-15 errors. Most of these errors are not noticeable to you as the user, however, each error is a potential opening for cyber criminals to access your data. These openings are often called ‘vulnerabilities’. Within a piece of software’s functioning life span, as soon as an error or ‘vulnerability’ is discovered, the manufacturer creates some additional code to correct the error. This is known as ‘patching’. All modern software will need to ‘update’ on a regular basis (at least every 14 days) as part of its maintenance.  This ensures that the latest vulnerabilities that have been discovered are patched within 14 days of the update being made available by the software vendor.

You should make sure you have ways of keeping each of the following important types of software up to date:
Operating System (OS)
Firmware
Web browser and extensions
All applications
Anti-virus

The easiest and most effective way to ensure that all your software is kept up to date is to turn on automatic updates on each of your devices. This will mean that patches are automatically applied when they are released by the respective vendor. Many devices have automatic updates enabled as default. Some updates might require the device to be manually restarted. If a device hasn’t been restarted in a while then the update might not be installed.

You can check that automatic updates is turned on in settings, under update and security, or systems preferences, under software updates.

For some controlr organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide.

A number of recent high profile cyber attacks have proved that, within a matter of hours, cyber criminals can use a newly discovered software vulnerability to create a mass cyber attack and sent it out to millions of users. Any user that had not installed the patch for that newly found vulnerability would fall victim to that cyber attack. For this reason, it is now a Cyber Essentials requirement that all *high and critical updates must be applied within 14 days. Organisations must not be selective about which patches they apply and leave themselves vulnerable.

* Some vendors use different terms to describe the severity of vulnerabilities. ‘Critical’ or ‘high risk’ can also be described as a CVSS v3 score of 7 or above, which uses the Common Vulnerability Scoring System ( CVSS) to provide a numerical representation of the severity of software vulnerabilities.

Unsupported software

When software gets to a certain age, the manufacturer will cease to create and send out patches. The age of software that this occurs varies significantly between vendor. At this point, the software is classed as ‘legacy’, is no longer supported and therefore no longer secure to use. Not only are the vulnerabilities left un-patched, but they become common knowledge for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.

Software that is no longer supported should be removed from devices or removed from scope by using a defined sub-set  that prevents all traffic to/from the internet.

All of your software needs to be licensed and supported. This means that you have a legal right to use it and that a vendor has committed to support it by providing regular updates ( patches). The vendor must provide the future date when they will stop providing updates. Finding out how long your software is going to be supported will determine how long it will be functional before you need to purchase more. This may influence your decision about which software you invest in.

Manufacturer approved software

You should only use software that is from an official source that is approved by the manufacturer/vendor. This way, you can be confident that the thousands of lines of code are not designed to harm your device or data. Some examples of official sources include the Google Play store and the Apple app store. Software acquired from questionable sources may be counterfeit and unlicensed. Not only will it be of an inferior quality and unable to receive ongoing support, but there is also a high chance it will contain malware. (See guidance about malware.)

Unused software

Many devices and software come from the manufacturer with extra features enabled that you do not use. The code in each ‘extra’ feature can potentially offer additional openings for cyber criminals to reach you. It is a good idea to permanently removed unused software by uninstalling it. See guidance: Removing unnecessary software.

Best practice to minimise your computer’s exposure to software vulnerabilities

  • Only use licensed software that the manufacturer still supports with patches.
  • Only buy software from official sources
  • Apply patches as soon as they are released
  • Remove unsupported software from your devices
  • Remove any extra features that you don’t use from software you have.