In a recent alert published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the organization laid out the 12 most exploited vulnerabilities since 2016. Navigating these most commonly exploited vulnerabilities can be a hassle if you don’t have a true patching and/or vulnerability management program in place, as well as buy-in and partnership from all relevant business areas. Before you tackle these vulns, make sure you’ve taken these steps first:
Get backup from your organization
If you have the technical means to patch these systems and mitigate these threats, great! But do you also have the organizational backing to ensure the change request is presented to the change committee and patches are queued, tested, deployed, and validated? If so, ask yourself how long a normal request takes from presentation to validation. More so, how long do emergency changes take?
Once you have the technical means to patch these systems and mitigate these threats, you need to ensure you have the organizational backing to ensure the change request is presented to the Change Committee and patches are queued, tested, deployed, and validated. Ask yourself how long a normal change request takes from presentation to validation, and how long emergency changes take.
Finally, ask yourself whether your organization will agree with security on classifying certain patches as an emergency, or whether these long-exploited vulnerabilities will be pushed out in a normal patch cycle (or not at all).
Figure out which vulns apply to you
Four out of 12 of these vulnerabilities are exploiting Microsoft Office products (five, if you want to count SharePoint). Digging into this, the exploits are targeting Object Linking and Embedding technology (essentially, all our sakes, Macros). So, here are some more questions for you:
- Are users utilizing this technology for work?
- If so, are these applications updated regularly?
- If the technology is not being utilized, will the organization approve disabling the technology?
This leads to a greater question: What is actually being patched in your organization? It is important to ensure that the organization’s patch management policy lays out that all systems and applications fall under the scope of patching and updating. If there are systems that cannot update due to old software needed to run, there are a couple of options:
- Talk to the vendor about updating their software.
- If the vendor is not around anymore, segregate that system. Be creative about it. Some organizations put a dedicated firewall in front of the system with only the traffic needed being allowed in and out.
Define your risk management program
All of this is moot if your organization has not identified risk and put a risk management program in place. So, what do you do?
- Identify your most critical assets and applications and determine how much it would cost (man hours, loss of revenue, solution acquisitions, etc.) if those assets went down.
- Determine those critical assets’ and applications’ interdependencies. What systems, databases, and applications support the critical functions for the critical assets?
- Define the amount of those interdependencies that have to be down to render the critical assets non-functioning.
Speak a common language
These are just a few ways to think about risk from a systems perspective, but it needs to be translated into a business perspective in order to gain any traction within your organization.
Without going into detail, let me share some of the wins your organization will have with fully implemented patching and vulnerability management programs:
- Better risk management: Easily identify critical functions of business
- Better asset management: Know what is in your environment
- Better organizational understanding of information security: Top-level support
- Increased communication throughout business units: Response times decrease
- Better partnerships: Relationships that will affect the overall success of the organization as a whole
I encourage you to check out the alert from CISA and start your patching and vulnerability management programs there.