Patch Like a CISA Pro!
Last year, there were over 20,100 publicly announced vulnerabilities (e.g., software, firmware, etc.) that needed patching.
That is about 11-55 exploits announced per day, day-after-day, year-after-year. The daily record was 287 exploits announced in one day (https://go.flashpoint-intel.com/docs/2021-Year-End-Report-Vulnerability-quickview). That is a lot of issues to worry about when patching.
The key to potentially making your patching life easier is to realize that, according to the U.S. Cybersecurity & Infrastructure Security Agency (https://cyber.dhs.gov/bod/22-01/) and many other sources, only 4% of vulnerabilities are ever exploited by any real-world attacker against an organization. The other 96% are announced vulnerabilities that are never exploited by ANYONE in a real-world, malicious attack.
It is easier to patch 4% of 20,142 things than 100% of 20,142 things.
Which vulnerabilities are exploited? I am glad you asked.
CISA has a list. It is known as the CISA Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
CISA updates this any time they learn of another new vulnerability being exploited, which is pretty frequently. You can subscribe (https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_136) and get proactively notified from CISA via email anytime a vulnerability is being newly exploited.
Optimal Patching
Here is what I think should be the optimal patch management focus:
Any vulnerability identified by CISA on their Known Exploited Vulnerability Catalog and in your environment should be patched ASAP! Do not wait. Do not pass go. Look for it and patch it. Bad actors and computer worms are hoping you will take your time. I think CISA recommends patching known public exploited vulnerabilities within 2 weeks, but why wait? The risk of exploitation is likely higher than the risk of extended operational interruption due to something related to the patching.
领英推荐
Not all publicly available source code ends up with the related vulnerability being exploited by an attacker. But if the involved device/application/service is popular, that increase the chances that it will be exploited. If the device/application/service can be remotely exploited without any end user input, that significantly increases the odds that it will be exploited. Most attacks today are “client-side attacks”. This means it requires a user to be involved (e.g., click on a link, download and execute malicious content, etc.) to kick off the exploit. Client-side attacks are much more popular, but because they need a user to start the process, this makes them far less likely to succeed than truly remotely exploitable vulnerabilities.
Remotely exploitable things like Microsoft’s Remote Desktop Protocol (RDP) are loved by hackers. And therefore, when any critical vulnerability involving them comes out, like it did last week for RDP (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21990), you should proactively patch it as quickly as you can, only prioritized behind actively exploited vulnerabilities.
If you do not know if something is remotely exploitable or the likelihood of it becoming exploitable in the near future is low, when and if it becomes publicly available, look for the vulnerability’s CVSS (Common Vulnerability Scoring System) score. Not all vendors include the CVSS risk rating in their vulnerability announcement, but they should. Any CVSS score at an 8.0 or higher is something that needs to be patched fairly quickly. For example, the RDP exploit announced last week has an 8.8 CVSS score (shown below), even though Microsoft is not yet aware of it being used in an actual attack. But proof-of-concept code has been released, RDP is super popular and the vulnerability can be exploited remotely, so a very high risk rating is appropriate.
And so, the risk management for patching continues, according to the patching recommendation above.
Is it easier just to do it all?
Many readers might ask themselves if it is not just easier to do it all, all at once, rather than picking and choosing which patches to apply. Well, yes and no. Yes, because if you are covered by a compliance requirement that involved patching, it most likely says you have to apply all “critical patches in a timely manner” regardless of whether they are being actively exploited or not. So, you have to forget everything I said here anyway and just use the recommendations as a guide of what you absolutely need to make sure you patch 100% every time, above and beyond your normal patching cadence. I think most readers will fall here anyway.
Even without a regulatory requirement, many patch managers might wonder if trying to pick and choose which patches to apply is a good way to go about it. Would it not be easier to just patch everything all at once so you do not goof up and miss something important?
Well, in theory, yes. In the perfect world, we would apply all needed patches in a timely manner. But we have supposedly been trying to do that for decades, and decades later, unpatched software is involved in 20% to 40% of attacks (according to various reports and surveys). Here is an example news report (https://www.zdnet.com/article/cybersecurity-one-in-three-breaches-are-caused-by-unpatched-vulnerabilities/) stating that unpatched vulnerabilities are involved in 33% of attacks.
So, for various reasons, we, collectively as global society, do not seem to be doing a great job at patching everything. Commonsense tells me that patching 4% of 20,100 vulnerabilities should be easier than trying to patch 100% of 20,100 vulnerabilities, but your mileage may vary.
This is my take on the subject. No matter which strategy you take…selective patching or patching everything…make sure you 100% quickly patch what CISA says is being actively exploited. In the midst of whatever you are required or trying to patch, carve out some extra special attention to patch the things that attackers are actively using to break into devices and networks.
Doing significantly better cybersecurity is not really a matter of buying new, shiny tools. It is better concentrating on the things that are far more likely to lead to malicious compromise, first and best, before you worry about all the other things.
Being a patching pro is mostly about focusing on the right things first and best. Go be the best pro you can be! Subscribing to and following CISA’s Known Exploited Vulnerability Catalog list/service is a great place to start.
Information Security Director| SACP, SSAP, CRISC, CISSP, ISSMP, PMP, Lean/Six Sigma Green Belt
2 年Some great risk-based advice here.
Cyber Director / CISO Dutch Railways | Cyber&AI Author/Lecturer/Speaker | Chair CISO Platform NL | Advisory Board NCSC, Cybersec NL, GRR, Cyber Senate & UvA Cyber Academy | Global Ambassador to GCRAI, Angel Investor
2 年Jan van den Berk
Bringing a sense of calm to the cyber security storm.
2 年I just discussed using CISA’s list with my team today and seeing this confirms my thoughts. Thank you!
Leader | Technologist | Musician
2 年Thank you for this, Roger! You statement that, "...we have supposedly been trying to do that for decades, and decades later, unpatched software is involved in 20% to 40% of attacks", resonated with me ..... maybe a little too well. Patching is almost always an up hill battle.
Manager - IT Operations - WAN Team
3 年One additional comment on this centered around the following statement in Roger's article "Any vulnerability identified by CISA on their Known Exploited Vulnerability Catalog and in your environment should be patched ASAP!" A very important part of this statement is the "in your environment" part --> This falls in line with Roger's Data-Driven Defense guidelines - Make sure you know your environment and whether or not the vulnerability impacts your environment. If the vulnerability deals with software you are not running in your environment, then there is no impact. BUT - You need to make sure. Do your due diligence and know what you got and then patch as appropriate. Just my 2 cents. Thanks