In November 2021, the Biden administration issued a binding operational directive that created two major tools to protect federal data and systems against cyberattacks. First, it established a formal, Cybersecurity and Infrastructure Security Agency-managed catalog of known-exploited, critical vulnerabilities; and second, it set forth the requirements for all federal agencies (and contractors) to remediate them. This new directive aims to protect government agencies from cyber-risks that could lead to significant intrusions into their networks and systems. As it turns out, federal agencies, like their private counterparts, face significant challenges when it comes to patch management.
This directive could not come at a more opportune moment. The past 12–24 months have seen a rapid increase in sophisticated attacks by threat actors who are highly financed and motivated to exfiltrate sensitive information. These attacks affect all of our interconnected systems in both the private and public sectors; no one is immune. Our threat research has shown that threat actors quickly exploit known vulnerabilities, often formulating an attack within 72 hours of a patch being issued. Unfortunately, few entities have the resources to patch that quickly.
What is truly alarming, however, is how far behind many public and private organizations are with their patch management procedures. We frequently find known vulnerabilities in our customers’ business-critical applications that are several years old and still unpatched. This directive looks to change that, ensuring agencies and their third-party vendors develop plans to find and remediate these known vulnerabilities.
Multiple studies demonstrate that detecting vulnerabilities and prioritizing the right patches quickly and efficiently are the largest challenges. By establishing a prioritized catalog of vulnerabilities, the directive seeks to give federal agencies a leg up. The onus on establishing a plan and process for remediation, however, still remains with the individual federal agencies.
Nevertheless, we’re glad to see the Biden administration take this critical step forward in improving the cybersecurity posture of the United States and, by extension, the companies that provide services to the federal government. While bold, it is still just the first step in minimizing and mitigating risk to the critical systems the United States government and its private industry partners use. The requirements of the measure only enforce what we already know to be standard security practices.
We should take this moment to explore what other cybersecurity best practices are frequently challenging for organizations to follow. We have seen that lax standard security practices can lead to catastrophic results. Here are select examples of security procedures that will have a great impact on the security posture of the United States and its private partners.
Identify and Mitigate Third-Party Risk
An organization is only as secure as its weakest link. Because critical applications are central to an organization’s operations, they are connected not just to multiple internal systems but also to third parties. Since these applications run across multiple entities, organizations need a recorded process to assess third-party risk. Thus it’s essential to extend any vulnerability management program to connected systems and third parties to more accurately understand risk.
Start by assessing all third-party vendors. Have a clear understanding of what data they can access and how they are using it.
Institute Continuous Monitoring Controls
As we saw with the SolarWinds attack, sometimes a routine software update can have a significant cybersecurity impact across federal agencies and private industries. While it’s important to harden defenses, you must also make sure that the fox isn’t already inside the henhouse.
Implementing a system to monitor your critical applications in real time can help identify threats as they happen, alert the right rapid response teams to intervene before they become a crisis, and ultimately prevent threat actors from exfiltrating sensitive data.
Deliver Better Cybersecurity Education to Employees
Repeated studies show that phishing attacks and social engineering are two of the most common ways that agencies and networks are compromised. (The other is exploiting software vulnerabilities!) Often, people pressed for time or just trying to do their jobs make simple mistakes. They click on phishing links or those that contain malware.
Of all attack vectors, this is one that is highly preventable by helping employees understand how they are targeted.
Get Back to the Basics
The directive on patch management will force agencies and their partners to address known vulnerabilities in their systems, something they should have been doing all along. The Biden administration directive will seek to largely cut off that attack vector. Because the directive applies to all software found on federal information systems, whether managed on agency premises or hosted by third parties on an agency’s behalf, it will have a wide-ranging impact.
The Biden administration has taken some bold steps to drive awareness and accountability in federal agencies with regards to software vulnerabilities that put our government and our society at risk. We look forward to seeing the federal government begin institutionalizing other security best practices. As we know, actions taken at the federal level can have a ripple effect downstream with private industry. If the federal government takes the lead here, its influence and impact across both the public and private sectors will be profound, leading to better security for our most critical systems now and in the future.
Read More HERE