With known vulnerabilities still being the source of most data breaches (nearly 60%), it is no wonder why the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently issued a binding operational directive (BOD) that shortens the timeline for agencies to patch known weaknesses in their systems.
According to Chris Krebs, head of the Department of Homeland Security’s cybersecurity agency, the DHS has had a “great deal of success” improving the cybersecurity risk postures of federal agencies by issuing guidances like BODs and emergency directives.
As studies illustrate that hundreds of thousands of data records are lost/stolen every hour during a breach, and because quickly patching known vulnerabilities can significantly reduce the risk of a breach, putting this BOD in place is a move those of us at Automox believe is a step in the right direction.
CISA’s Order
When it comes to patching known vulnerabilities, time is of the essence. As such, the instruction ordering agencies to enable access for the department’s automated vulnerability scans and to fix critical weaknesses within 15 days should come as no surprise.
The reason? According to a CISA announcement, “Recent reports from government and industry partners indicate that the average time between discovery and exploitation of a vulnerability is decreasing as today’s adversaries are more skilled, persistent, and able to exploit known vulnerabilities.”
The new directive includes two specific action sets for agencies moving forward:
- Ensure Access and Verify Scope
- Review and Remediate Critical High Vulnerabilities
The Urgency to Patch
Because quickly patching known vulnerabilities significantly reduces the risk of a costly and dangerous data breach, any organization can draw inspiration for their patching strategy from this federal government directive. Whether discussing high or critical vulnerabilities, the implementation of tight deadlines to patch those known vulnerabilities is vital to securing our collective digital future.
Even if you're not a government agency, this BOD can impact your organization. While CISA won't involve themselves when your company fails to meet the deadlines set forth by the directive, your organization can use the instruction as a guideline for implementing your patch management strategy.
The 15- and 30-day deadlines laid out by the CISA order underscore the urgency to patch known vulnerabilities as government organizations are not the only juicy targets for hackers and bad actors seeking to turn a profit or damage financial markets, important infrastructure and even military assets. Today, sophisticated attacks are being used to exploit vulnerabilities to steal information and money, and hackers are developing capabilities to disrupt, destroy or threaten the world of business as well.
Ongoing Cyber Hygiene and Automated Patch Management
Any software is prone to vulnerabilities, but thousands of vulnerabilities are discovered and reported every year, meaning that the older the agency's system is, the more likely it is to have unpatched vulnerabilities. While the timeframe to patch in the directive is an improvement, 15 days is far too long if exploits are already out there being, well, exploited.
Clearly, the need to patch known vulnerabilities has never been more urgent — and the CISA order shortening the timeframe to patch cements that notion and will have a ripple effect that extends beyond government agencies. When the government makes such a public action, the private sector is often not far behind.
While every organization is different with regards to its change control procedures (and individual tolerance to potential service disruption), there’s a balance to strike with the need to keep up with the latest published exploits for all operating systems used on the company network. Best-in-class organizations should have the ability to test, stage and patch critical vulnerabilities within a week. In some cases, 48 hours should be a maximum window for critical vulnerabilities being actively exploited. After all, every second an organization goes without patching a known vulnerability, the likelihood of a breach increases.
Effective cyber hygiene eliminates the vast majority of an agency’s risk and often requires the least amount of effort when compared to other controls. As the world moves into an increasingly digital space, government agencies and organizations of all sizes must consider moving away from legacy solutions that require ongoing maintenance and cumbersome patch management.
Automox empowers customers with the confidence to know that patches and remediations will be applied within timeframe requirements, will stay enforced and will be reported on accurately to demonstrate compliance. Automox’s cloud-native platform is simple to configure and manage and is fully customizable, allowing agencies to choose the level of automation that best suits their unique security posture, automatically securing systems without the need for hands-on maintenance.
Learn more about our cloud-native modern approach to patch management at www.automox.com. Or, feel free to connect with an Automox expert directly.
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
