In response to reports that the CISA has issued a new directive that forces federal civilian agencies to address at least 306 vulnerabilities commonly exploited during attacks, cybersecurity experts offer the following comments.
<p>It’s an unfortunate fact that some government agencies can be among the slowest institutions to implement security patches in a timely manner. There are three major things at play here. First, some agencies rely on software only compatible with unsupported underlying systems such as Windows Server 2003 or even Windows XP Embedded. It’s not uncommon for us to identify these legacy, and therefore unpatched and vulnerable systems only to be told they can’t be patched or upgraded as they would break the software package they depend on operationally, and that to migrate to a new solution is outside their immediate budget. This, however, is penny smart and pound foolish. With modern cyberattacks now routinely reaching into the millions of dollars of damages, especially with ransomware, leaving a known vulnerable system online becomes an expensive risk. The second factor can be organizational inertia. The standard change review and approval process can delay the implementation of security patches, leaving the organization at risk of significant damage in the meantime. This is not to say, however, that such processes should be abandoned altogether, after all, many vendors release patches that routinely break functionality in some way or another that you want to test out yourself to avoid unexpected outages. Rather, it’s important that the approval process has provisions for acceleration in place to more quickly address the most critical of risks, and that a ready to go test lab and validation testing protocol exists for quickly and efficiently testing out security patches for unforeseen adverse effects. The third thing that can cause extended delays in implementing critical patches is lack of insight on what vulnerable systems and applications are present in the environment. Orphaned or forgotten systems that are vulnerable to high severity exploits can blindside even the most otherwise efficiently run organizations. To have visibility into where risk lies, organizations should engage in frequent vulnerability scanning as well as routine penetration testing to identify any systems or applications that may have fallen through the cracks of the normal patch management and software lifecycle processes.</p>
<p>What CISA is doing is great! They are to be applauded. They are doing a few things that I think are not getting enough press. First, they are culling out the number of patches that people need to be worried about. Each year, over 10,000 vulnerabilities are found that end up getting patched. Last year, it was 18,103 things. But only 2% of those exploits EVER get exploited in the wild by an attacker. Those are the only ones that we really need to be worried about and need to patch. But which ones? Well, CISA is now maintaining that list. They call it a vulnerability management catalog. But what they put in their log is only actively exploited vulnerabilities. So, you want to know what you really need to patch? There you go. Second, they say you have to mitigate the included new and existing 2021 vulnerabilities within two weeks. That solves another long-standing problem, which was how quickly to patch after the patch was released. Most regulations say something general, like \"apply critical patches in a timely manner.\" CISA is telling you what is critical…it is in their catalog. Second, they are saying it needs to be done within two weeks (subject to change). There you go. They have officially defined \"timely\". Third, they mandated it across the government (with some notable exceptions). It takes all the fuzziness out of patch management. No one can say they did not understand what they needed to do regarding patch management. The U.S. government has now told you. I think any public company that does not follow this advice should be required to pass a \"reasonable person\" standard and explain why they are not doing what the U.S. government said every organization they control should be doing. Again, I congratulate CISA and Dir. Easterly. She has come in and in only a few months, started to aggressively push good information and advice several times a week. They are trying to educate more people in cybersecurity, provide more cybersecurity professionals to all companies and industries, and starting to define, in concrete, things that used to be more fuzzy. Exciting news.</p>
<p>It’s an unfortunate fact that some government agencies can be among the slowest institutions to implement security patches in a timely manner. There are three major things at play here. First, some agencies rely on software only compatible with unsupported underlying systems such as Windows Server 2003 or even Windows XP Embedded. It’s not uncommon for us to identify these legacy, and therefore unpatched and vulnerable systems only to be told they can’t be patched or upgraded as they would break the software package they depend on operationally, and that to migrate to a new solution is outside their immediate budget. This, however, is penny smart and pound foolish. With modern cyberattacks now routinely reaching into the millions of dollars of damages, especially with ransomware, leaving a known vulnerable system online becomes an expensive risk. The second factor can be organizational inertia. The standard change review and approval process can delay the implementation of security patches, leaving the organization at risk of significant damage in the meantime. This is not to say, however, that such processes should be abandoned altogether, after all, many vendors release patches that routinely break functionality in some way or another that you want to test out yourself to avoid unexpected outages. Rather, it’s important that the approval process has provisions for acceleration in place to more quickly address the most critical of risks, and that a ready to go test lab and validation testing protocol exists for quickly and efficiently testing out security patches for unforeseen adverse effects. The third thing that can cause extended delays in implementing critical patches is lack of insight on what vulnerable systems and applications are present in the environment. Orphaned or forgotten systems that are vulnerable to high severity exploits can blindside even the most otherwise efficiently run organizations. To have visibility into where risk lies, organizations should engage in frequent vulnerability scanning as well as routine penetration testing to identify any systems or applications that may have fallen through the cracks of the normal patch management and software lifecycle processes.</p>
<p>What CISA is doing is great! They are to be applauded. They are doing a few things that I think are not getting enough press. First, they are culling out the number of patches that people need to be worried about. Each year, over 10,000 vulnerabilities are found that end up getting patched. Last year, it was 18,103 things. But only 2% of those exploits EVER get exploited in the wild by an attacker. Those are the only ones that we really need to be worried about and need to patch. But which ones? Well, CISA is now maintaining that list. They call it a vulnerability management catalog. But what they put in their log is only actively exploited vulnerabilities. So, you want to know what you really need to patch? There you go. Second, they say you have to mitigate the included new and existing 2021 vulnerabilities within two weeks. That solves another long-standing problem, which was how quickly to patch after the patch was released. Most regulations say something general, like \"apply critical patches in a timely manner.\" CISA is telling you what is critical…it is in their catalog. Second, they are saying it needs to be done within two weeks (subject to change). There you go. They have officially defined \"timely\". Third, they mandated it across the government (with some notable exceptions). It takes all the fuzziness out of patch management. No one can say they did not understand what they needed to do regarding patch management. The U.S. government has now told you. I think any public company that does not follow this advice should be required to pass a \"reasonable person\" standard and explain why they are not doing what the U.S. government said every organization they control should be doing. Again, I congratulate CISA and Dir. Easterly. She has come in and in only a few months, started to aggressively push good information and advice several times a week. They are trying to educate more people in cybersecurity, provide more cybersecurity professionals to all companies and industries, and starting to define, in concrete, things that used to be more fuzzy. Exciting news.</p>