The simple fact is that software is written by humans and humans make mistakes, so the software has bugs in it. And if those bugs are in systems that are critical to core business practices, they need to be addressed promptly.
Defensive systems like Web Application Firewalls (WAFs) are a huge force multiplier for organizations trying to manage their attack surface, but some vulnerabilities just have to be patched. And this isn’t true for just the private sector.
The government certainly has a presence on the Internet and uses software that could include dangerous vulnerabilities. In order to increase the security of government systems, the United States Department of Homeland Security (DHS) has issued patching guidance for US government agencies.
The State of Patching
Before getting into the details of the DHS mandate, it’s useful to understand why they even bothered. Patching seems like a pretty important thing to do, so, logically, organizations should be doing it anyway in order to minimize their potential exposure to attacks, data breaches, etc.
Unfortunately, most organizations are terrible at patching in Software vulnerabilities. In fact, most organizations take over a month to install patches for known vulnerabilities. Critical vulnerabilities (i.e. the ones that can be very bad) had an average time to patch (from the release of a patch to installation) of 34 days while the average patch time for all vulnerabilities (regardless of severity) was 38 days.
The issue with this is that hackers don’t wait a month before trying to exploit a vulnerability. You’re often lucky if you get a week between notification of a vulnerability and the first attempts at exploitation (normally the delay is in hours). This gap between the response time of defenders and attackers can be the reason that an organization is breached.
But why are organizations so slow at patching Software vulnerabilities? There are a variety of different reasons. One potential cause is compatibility. Some patches have the potential to break existing software on running on a machine.
Performing the update may mean disabling certain functionality on a critical system. When making a decision between being insecure and being incapable of performing essential business functions, many organizations choose insecurity.
Another potential cause of delays in patching is limited to manpower and contradictory priorities. The available cyber talent is limited (there is a major skills gap in the industry), meaning that it is difficult for organizations to acquire and retain enough cybersecurity talent.
As a result, many departments are running understaffed and need to prioritize their actions. When choosing between protecting the organization from current threats and patching vulnerabilities that are not being actively exploited, patching gets put on the back burner.
As a result, the state of patching in most industries is pretty
poor. Patching is usually done in waves to minimize the operational impact,
meaning that systems are left insecure for days or weeks until the next patch
testing and deployment cycle.
New Rules for the Government
The United States Department of Homeland Security (DHS) has jurisdiction over US government agencies’ cybersecurity and has exercised that power in an attempt to decrease the time between the discovery of a vulnerability on government systems and it being patched. US government agencies now have 15 calendar days to fix “critical” vulnerabilities and 30 days to apply patches for “high” severity bugs.
If agencies are compliant with the mandate, this will cause a significant decrease in the time to patch of these vulnerabilities (all of which are over 30 days). DHS plans to take an active role by contacting agencies at the 15-day mark if patches have not been applied and requiring an explanation for this failure.
Agencies can then provide an explanation, a description of how the vulnerability is being managed in the interim, and a plan for patching. If there is no plan to patch a certain vulnerability (i.e. due to compatibility issues), this is also an acceptable justification.
Keeping Systems Secure
The security of Internet-facing systems (webservers, email
servers, etc.) is a priority for any organization’s cybersecurity defense
strategy. Since most attackers start out outside an organization’s perimeter,
the majority of the attacks against an organization’s network will be focused
on these systems that are publicly accessible.
Guidance like the DHS mandate for government agencies is a good
starting point when trying to decrease the number and impact of intrusions and
data breaches. By defining a deadline, providing notifications, and forcing
agencies to explain why certain systems are not patched “in time”, DHS is
helping to decrease the time between patch creation and application while
maintaining realistic expectations (since some systems cannot be patched).
However, simply decreasing the time from patch creation to
deployment isn’t enough to protect an organization’s systems from attack. Even
agencies that are completely compliant with DHS’s new mandate can be vulnerable
to attack for up to 15 calendar days, which is plenty of time for an attacker
to discover and exploit vulnerable systems.
Advanced Web Application Firewalls (WAFs) can help to plug the holes left by vulnerabilities with their ability to perform virtual patching. Once one of these firewalls is aware of a certain vulnerability (which can be managed through automated updates), it can block all traffic intended to exploit the vulnerability.
This provides the best of both worlds, allowing organizations to secure their systems without rushing their patch testing and deployment operations.