United States federal government agencies are now required to patch the most serious vulnerabilities in half the time. A new cyber security directive from the Department of Homeland Security (DHS) has cut the mandatory time to patch vulnerabilities rated “critical” down from 30 to 15 calendar days, in a bid to shore up cyber security in the face of increasing activity by threat actors and some high-profile failures.
Government agencies were previously required to patch vulnerabilities within 30 days of detection. Flaws categorized as “high severity” or lower are still subject to that time requirement. However, the definition of “initial detection” has also changed. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will now perform weekly “Cyber Hygiene” scans, and the clock starts as soon as a vulnerability is discovered during one of these. CISA has also altered the definitions by which threats are ranked in the new cyber security directive, reverting back to a prior scale (CVSSv2). Some research had dinged the more modern CVSSv3 scale for putting excessive amounts of threats in the “high” category.
Agencies that fail to patch vulnerabilities during the required time window are given three days to get a complete remediation plan in place. They are asked to provide a reason as to why they cannot update in time, to document any intermediary mitigation methods they put in place and provide an estimate of when their systems will be patched. Though these requirements do apply to all federal agencies (with the exception of the Pentagon and intelligence agencies), the DHS has stated that some systems that are no longer receiving security updates will be exempt from these rules. Under the terms of the new cyber security directive, administrative penalties are possible for agencies that fail to respond in a timely manner.
CISA is a recent reorganization of the National Protection and Programs Directorate (NPPD), tasked with protection of both the nation’s physical and cyber infrastructure. Under the Cybersecurity and Infrastructure Security Agency Act of 2018, the department has been restructured with a renewed emphasis on cyber security. This new cyber security directive is the agency’s second major action of 2019, the first being an emergency directive requiring all agencies to audit their domain name system (DNS) records in the wake of a spree of DNS hijacking believed to have been led by state-sponsored Iranian hackers.
These new requirements seem to have been directly spurred by an early April report that a number of federal agencies were found to be “not effective” in their cyber security during an audit. These include the Department of Health and Human Services, the Food and Drug Administration, the National Institutes of Health, and the Centers for Medicare and Medicaid Services. CISA also had some praise for federal agencies, however, noting that they had reduced the average time to patch vulnerabilities considered critical from 149 days to 20 days in 2019.
Is the new cyber security directive adequate?
While the overall time frame in this new cyber security directive is an improvement, some observers are left to wonder if it is adequate for government systems that contain extremely sensitive data.
“This is a good initiative, one for which all reputable private sector enterprises already subscribe to via third party scanning services. It wouldn’t surprise me if some government agencies also subscribe to similar services in the private sector as it is definitely a best practice in the industry.
I would argue that the directive does not go far enough to call out critical vulnerabilities for which proofs of concept may already be published or for which developing an exploit is trivial. Those indeed have a higher chance of being exploited by threat actors in record time. In my view, 15 days for remediation is too slow in those circumstances.”
Christian Vezina, Chief Information Security Officer for OneSpan, agreed:
“Forcing remediation of critical vulnerabilities within 15 days is a good idea, with a few caveats. While moving from 30 to 15 days is likely to improve overall system posture and shrink attack windows, it may be a stretch for all agencies to meet, so CISA will definitely need to help with remediation templates. Looking at this from another perspective, a deadline of 15 days for vulnerabilities that are not being actively exploited can be acceptable, but it is probably way too long if exploits are already out there being exploited. In such cases, 48 hours should be a maximum window for critical vulnerabilities being actively exploited. Vulnerabilities need to be further prioritized to make the best use of available limited resources.”
In an ideal world, the best practice for patching vulnerabilities is to do it immediately. Small-to-medium businesses often do not have the resources to make this happen, however. One would think resources would not be an issue for the federal government; legacy systems and bureaucracy surrounding them are more likely explanations. As Willy Leichter, VP of Marketing for Virsec, points out:
“Patching critical vulnerabilities should always be a top priority, but arbitrary deadlines often have unintended consequences. There are three main reasons why servers often go unpatched – negligence or poor processes, lack of awareness of where vulnerable code is running, or hesitancy to patch because it can break things in fragile, complex environments. The DHS order should help flush out the first two, but even in well run organizations patching can be much harder than it sounds. Today’s software stacks are complex and extremely interdependent. Even the best patches can cause conflicts, require updating platforms, or break integrations. Any patch has to be carefully vetted and tested before being deployed – this is why the average patch time for most enterprise servers is 3-6 months.”
2016 reports from government agencies to Congress noted that some federal systems were still running badly outdated versions of Windows – in at least a few cases, Windows 3.1. Federal agencies spend an estimated 75% of their annual budget on maintaining their legacy systems. The problem with this approach is that legacy operating systems eventually hit a point of total obsolescence from a security standpoint, at which they can no longer be effectively patched against new (and sometimes even long-established) vulnerabilities. The 2015 hack that hit the Office of Personnel Management and exposed the sensitive personal data of 21.5 million people was due in part to vulnerabilities in outdated systems, systems the department had been regularly warned about since 2007.
How often should businesses patch vulnerabilities?
The federal government’s new cyber security directive really does not serve as a good measuring stick for how independent businesses should patch vulnerabilities. As Colin Little, Senior Threat Analyst for Centripetal Networks, points out:
“We have seen time and again where a new critical vulnerability is publicized and, within hours of that release, scans for the associated service start flooding the internet. Network owners must realize that when a new critical vulnerability is released that affects them, they are one degree of separation away from an emergency. These same network owners desperately need a mechanism which is adopted by system owners and incorporated into change management procedures, in order to respond with urgency where they are able. Such a process would treat the vuln as though it were an emergency, complete with backup procedures and other risk-mitigation strategies associated with patching a system. They must do this if they are to avoid the actual emergency of systems compromise.
“Network owners would also do well to know that malicious actors have likely already performed reconnaissance on their public-facing services so that, when a new critical vulnerability is discovered, they already have a list of targets where they have identified that service or technology is present. Having a vulnerability scan of your public-facing services is fundamental, but in addition to this network owners would benefit from a service which notifies and blocks against active attacks on their public-facing infrastructure.”
It’s a hard fact that many businesses will find themselves in a similar boat as some of these federal agencies, however. They may have legacy systems that they cannot replace, or a fragile patchwork in place that continual security patches threaten to unexpectedly upend in some way. And total upgrade or replacement of existing systems is simply not in the cards, perhaps for budget reasons or due to unique industry needs.
As Little points out, another hard fact is that 15 working days is simply not an adequate response time to patch critical vulnerabilities in many cases. This is particularly true in the case of emerging (“zero day”) threats. At minimum, an adequate emergency backup and restoration system is an absolute necessity.
Even small businesses should have at minimum a once-monthly scan of the network for vulnerabilities. The company’s security professionals should be keeping up with the latest published exploits for all operating systems used on the company network, particularly those for which usable code has been published (as they will be in the widest and most immediate circulation). Getting as many company devices to the same version of each operating system will also help tremendously in being able to quickly patch vulnerabilities without operational interruptions.
If there are concerns about security patches inadvertently breaking something, patch staging can be employed. Staged patches are sent out to all devices, but not necessarily implemented immediately. Patch management tools (such as Symantec’s Patch Management Solution or Quest’s KACE) allow a mix of manual and automatic approaches to this process. Ideally, testing and patching should be taken care of in no more than a week.
Admittedly, this is a significant added burden on any IT department but particularly those at smaller businesses. Employing a managed security services provider to patch vulnerabilities may well make financial sense in these cases, particularly when it comes to legacy systems that are onerous to keep current.