Using CPGs in Real Life – Patching

March 20th, 2024
Using CPGs in Real Life – Patching

Everyone knows the adage “No one is perfect”. Unfortunately for anyone with a computer network, the bad actors who want to infiltrate your system are ready to take full advantage of any mistake they can find. The Cybersecurity and Infrastructure Security Agency (CISA) knows this, as they called out CPG 1.E (Mitigate Known Exploited Vulnerabilities) in both their January and August 2023 Bulletins. We discussed Priority 1 (Implement MFA) in the last bulletin. Why is Mitigate Known Exploited Vulnerabilities (aka Patching) Priority 2 in protecting your district, according to CISA?

Cyber security is a constant competition between software/code developers and bad actors. The bad actors scour software programs and hardware code looking for that mistake that will let them into your network. Software/code developers are constantly reviewing their products looking for things they might have missed that will let someone in where they don’t belong. When developers find mistakes, they create patches or security updates to fix the issue and keep the bad actors out.

The challenge for those of us who use this software and hardware is to make sure that any vulnerabilities that have been identified get fixed as soon as possible. This is done by implementing patches or security updates. (Most people are familiar with these for their phones/tablets). The only thing worse than having someone breach your network is finding out the breach only happened because the latest patch wasn’t installed. It is estimated that 70% of the breaches that occur happen via a vulnerability that already has a patch available to resolve but was never applied.

Because of the quantity of hardware and software programs in use by schools, this can be time-consuming. But like exercise and physicals, the result of not doing it can be serious.

This week’s suggestion:

  • Talk to your Tech Director about what the patching process is for your network resources.
  • Ask how hardware and software vulnerabilities are identified and resolved including third-party applications.

Do you have questions about where to start with Patching implementation? Are you feeling overwhelmed by the NIST Cybersecurity Framework and CPGs? Call CSI and ask how we can help you understand and help mitigate your Cyber risk. We have a specific service to help you get started on the NIST CSF journey. Just contact Lisa MacDougall ( or 845.897.9480.