United States federal government agencies are now required to patch the most serious vulnerabilities in half the time. A new cyber security directive from the Department of Homeland Security (DHS) has cut the mandatory time to patch vulnerabilities rated “critical” down from 30 to 15 calendar days, in a bid to shore up cyber security in the face of increasing activity by threat actors and some high-profile failures.
Experts Commented below:
Colin Little, Senior Threat Analyst at Centripetal Networks:
The federal government’s new cyber security directive really does not serve as a good measuring stick for how independent businesses should patch vulnerabilities. As Colin Little, Senior Threat Analyst for Centripetal, points out:
“We have seen time and again where a new critical vulnerability is publicized and, within hours of that release, scans for the associated service start flooding the internet. Network owners must realize that when a new critical vulnerability is released that affects them, they are one degree of separation away from an emergency. These same network owners desperately need a mechanism which is adopted by system owners and incorporated into change management procedures, in order to respond with urgency where they are able. Such a process would treat the vuln as though it were an emergency, complete with backup procedures and other risk-mitigation strategies associated with patching a system. They must do this if they are to avoid the actual emergency of systems compromise.
“Network owners would also do well to know that malicious actors have likely already performed reconnaissance on their public-facing services so that, when a new critical vulnerability is discovered, they already have a list of targets where they have identified that service or technology is present. Having a vulnerability scan of your public-facing services is fundamental, but in addition to this network owners would benefit from a service which notifies and blocks against active attacks on their public-facing infrastructure.”
It’s a hard fact that many businesses will find themselves in a similar boat as some of these federal agencies, however. They may have legacy systems that they cannot replace, or a fragile patchwork in place that continual security patches threaten to unexpectedly upend in some way. And total upgrade or replacement of existing systems is simply not in the cards, perhaps for budget reasons or due to unique industry needs.
As Little points out, another hard fact is that 15 working days is simply not an adequate response time to patch critical vulnerabilities in many cases. This is particularly true in the case of emerging (“zero day”) threats. At minimum, an adequate emergency backup and restoration system is an absolute necessity.