Today we continue our look at a series of practical steps that districts can use to increase their NIST compliance. Looking at the complete set of NIST controls can be a daunting experience. One of the best ways we have found to make these cybersecurity improvements more attainable is following the CIS Controls Top 20 list, which maps nicely over into NIST. CIS also breaks their controls list into three implementation groups, in somewhat of a "start here" group 1, a more "advanced" group 2, and when that's done for full "Ninja status," move to group 3. This series is going to focus on a walk through the "start here" group 1 items.
Today’s topic is about Vulnerability Management, and in particular under implementation group 1 (IG1) items – patch management.
Action item #1 - Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
Action item #2 - Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
Vulnerability and Patch management has become such a huge deal over the past several years. Research has shown that the vast majority of security breaches are not caused by some mysterious new Day 0 piece of malware out there that snuck by all our defenses. Most of the breaches we hear about can be traced back to a specific vulnerability that was long ago identified by the vendor and patched by that same vendor. Still, for various reasons, the breached organization had not yet patched that vulnerability in their systems.
Many of you already have some form of patch management program in place using tools like Microsoft WSUS or SCCM. The NIST process will ask that you not only have the tools in place but a documented process for when and how you perform updates to both applications and operating systems. Ultimately you will need verification of your patch maintenance cycles to help prove that you are following your documented process using the tools you choose to put in place.
If you are struggling to develop the appropriate patch update tools and processes in your environment, please give our office a call. We would be happy to help advise you on putting something in place that will work for you.