It has been revealed that The United States’ Department of Homeland Security currently has a litany of security problems including running old, outdated software and operating with computers which haven’t received patches for 5 years. Some of the vulnerabilities were so serious that they “expose DHS data to unnecessary risks,” said the investigators, and that the agency needed to protect its systems “more fully and effectively.” Travis Smith, Principal Security Researcher at Tripwire commented below.
Travis Smith, Principal Security Researcher at Tripwire:
“There are many organizations which are in the same boat as the DHS. They’re also running older software which is ridden with known vulnerabilities. The difference maker for achieving a successful security program is understanding the risk exposure by having these vulnerabilities run on the network. In some cases it makes more business sense to have the outdated software since it’s either not technically or financially feasible to fix or replace them. If that is the case, compensating controls need to be put in place. For example; segregating the network or placing additional protections on the endpoint and/or network.
A small sample size of 64 systems may also not accurately represent the full picture of the entire network. An enterprise sized network can consist of thousands of systems that the IT department knows about, let alone those that it does not. Coordinating scanning and patching of every system is a complex problem to solve when there are critical applications which cannot afford to have downtime.
By following foundational controls from the Center for Internet Security, any organization large or small can follow best practices to avoid having significant gaps in their security posture. Those with a more mature security posture can also leverage things such as hardening guidelines from the CIS or DISA and the MITRE ATT&CK framework to model what adversaries are truly going to attempt on your equipment.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.