CISA Step 2 – Mitigating Known Exploited Vulnerabilities (patching)

October 16th, 2023
CISA Step 2 – Mitigating Known Exploited Vulnerabilities (patching)

Today we continue with our series discussing the highest priority cybersecurity steps as identified in the January 2023 CISA published report “Partnering to SafeGuard K-12 Organizations from Cybersecurity Threats.” In that report, CISA suggested that schools start their Cybersecurity journey by implementing six of the Highest-priority security measures.

  • deploying multifactor authentication (MFA)
  • mitigating known exploited vulnerabilities (patching)
  • implementing and testing backups
  • minimizing exposure to common attacks
  • regularly exercising an incident response plan
  • implementing a strong cybersecurity training program

This bulletin will address Step 2 - mitigating known exploited vulnerabilities, also known as patching. According to CISA, keeping systems patched is one of the most cost-effective practices an organization can adopt to enhance its security posture.

Cyber security is a constant competition between software/code developers and bad actors. The bad actors scour software programs and hardware code looking for that mistake that will let them into your network. Software/code developers are constantly reviewing their products looking for things they might have missed that will let someone in where they don’t belong. When developers find mistakes, they create patches or security updates to fix the issue and keep the bad actors out.

The challenge for those of us who use this software and hardware is to make sure that any vulnerabilities that have been identified get fixed as soon as possible. This is done by implementing patches or security updates. (Most people are familiar with these for their phones/tablets). The only thing worse than having someone breach your network is finding out the breach only happened because the latest patch wasn’t installed. It is estimated that 70% of the breaches that occur happen via a vulnerability that already has a patch available to resolve but was never applied.

Because of the quantity of hardware and software programs in use by schools, this can be time-consuming. But like exercise and physicals, the result of not doing it can be serious.

This week’s suggestion:

  • Talk to your Tech Director about what the patching process is for your network resources.
  • Ask how hardware and software vulnerabilities are identified and resolved including third-party applications.

Next week’s bulletin will discuss “CISA Step 3 – Perform and Test Backups"

If you would like more information on help with Patching, understanding your district’s current vulnerability exposure, or navigating the NIST CSF journey, please contact Lisa MacDougall at or call 845.897.9480.