Today we continue our look at a series of practical steps that districts can use to increase their NIST compliance. Looking at the complete set of NIST controls can be a daunting experience. One of the best ways we have found to make these cybersecurity improvements more attainable is following the CIS Controls Top 20 list, which maps nicely over into NIST. CIS also breaks their controls list into three implementation groups, in somewhat of a "start here" group 1, a more "advanced" group 2, and when that's done for full "Ninja status," move to group 3. This series is going to focus on a walk-through of the "start here" group 1 items.
A few weeks ago, we talked about the patching of endpoint device operating systems and application software. Today's topic is about a very similar requirement regarding the security posture of the firewalls, routers, and switches in your network. This group of controls is ultimately going to require that your organization “Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
The implementation group 1 (IG1) requirement for this control section has a single action item:
Action item #1 - Install the Latest Stable Version of Any Security-Related Updates on All Network Devices - Install the latest stable version of any security-related updates on all network devices.
The particular tools, processes, and procedures that you will need to put in place to satisfy this control will vary widely depending on the devices and device vendor(s) for the equipment in your network.
Minimally you will need to establish a method to be alerted when a vendor releases updates, both functional and security vulnerability related. You will also need to develop the processes and tools for implementing and testing those updates on both a regular schedule and as required for emergency security-related updates.
Some environments will be best served by management tools external to the network devices for this purpose. Others will have a fairly close to automatic update process built into their device management tools.
The important part is to define a formal network device patch management process. Then demonstrate that you are executing that process regularly as you have defined it.
If you need assistance with evaluating and developing the tools and processes required for an effective patch management strategy for the network devices deployed in your network, reach out to our team. We will be happy to help you get started.