BACKGROUND:
CISA has issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. The directive contains a public catalog of vulnerabilities known to be exploited in the wild and requires US federal agencies to patch affected systems within specific time frames. The lists include vulnerabilities from products such as Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM, and others. For vulnerabilities disclosed this year (CVE codes of CVE-2021-*****), the Directive requires US federal civilian agencies to apply patches by November 17, 2021. Older vulns must be patched by May 3, 2022. Experts with Gurucul, SecurityGate & YouAttest offer perspective.
<p>CISA\’s Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, is a great service to the security community. The fact that the broad ranging document includes product from Cisco, Google, Microsoft, Apple, Oracle, Adobe, Atlassian, IBM and others shows how far reaching the problem is. And also how addressing just the individual components, though necessary, is a losing game. The fact that the vulnerabilities exist in practically all the resources infers to security personnel that an overall methodology must be in place to mitigate an attack that could come from anywhere.</p>
<p>The commonly accepted new methodology is Zero Trust – where each \"leg\" in the system has to confirm the identity of the requesting party. In a zero trust system identities and informational requests need to be constantly validated in each step of the process. Identity attestation to ensure the principle of least privilege PR.AC-6 is also imperative in a zero-trust system.</p>
<p>CISA continues to impress with its focus on defending government networks and systems by executing on the basics of cyber “blocking and tackling”. It is disappointing that it takes a Binding Operational Directive for US Federal departments and agencies to implement critical patches, but kudos to CISA for recognizing this issue and using its authorities to enforce action. There was quite a bit of controversy back in 2017 with a similar directive for Kaspersky products, but this action is a no-brainer. Let’s see if it migrates to quarterly in 2022 rather than annually.</p>
<p>Patching software and operating systems should be at the top of the IT priority list. Now CISA is stepping in, directing government agencies to apply all patches by November 17. Patching can be a complicated process, in that patches should be tested in the production environment first but should take precedence over less critical activities.</p>
<p>Too many organizations think patching software is optional, and doesn’t have to be done immediately. It’s refreshing to see that CISA has listed a comprehensive list of known vulnerabilities along with relevant patches. Every organization, even those outside of the government, should obtain this list and use it to check their own patch programs.</p>