CPO Magazine, May 10, 2019, with comments by Willy Leichter

DHS issues mandate to patch vulnerabilities twice as fast as before

The Department of Homeland Security has issued a new cybersecurity mandate to US federal government agencies that they must now patch critical vulnerabilities twice as fast as before. Their previous timeframe for patching critical category vulnerabilities was within 30 days of detection and now it is 15 days.

This step is an effort to increase security defense against the rising cyber threats of bad actors as well as in the aftermath of some security failures that put the government in an unwanted spotlight.

“Initial detection” now based on CISA discovery

For the new 15-day timeframe, DHS has also updated their definition of “initial detection.” Now, the DHS Cybersecurity and Infrastructure Security Agency (CISA) will conduct “Cyber Hygiene” scans every week. Once a vulnerability is detected in these scans, that’s now the point of initial detection that starts the 15-day clock for companies. This applies to vulnerabilities ranked as critical. Flaws categorized as “high severity” or lower are remaining at the 30-day time requirement for implementing patches.

Penalties in place for not meeting patching timeframes or providing mitigation plan

If a federal agency doesn’t patch a vulnerability in this required timeframe, they then have three days to put together a remediation plan. They must also provide an explanation for why they can’t make the 15-day deadline, along with documentation of intermediary ways they will mitigate the situation and an estimate of when the patch can be completed. If an agency fails to comply in a timely manner, terms for administrative penalties are in place.

The Pentagon and intelligence agencies are exempt from these requirements and all other government agencies must comply. An exception from these rules is made for systems no longer receiving security updates.

The National Protection and Programs Directorate (NPPD) established the CISA when they were tasked with protecting national physical and cyber infrastructures. This step is their second significant move this year. The first was an emergency directive requiring all agencies to perform DNS audits of their domain name records after a series of DNS hijackings likely carried out by state-sponsored Iranian hackers.

These agencies may be trying to demonstrate they can implement effective strategies after a report in early April found many federal agencies not effective when it comes to cyber security.

A move in the right direction, but not fast enough

When asked about the new requirements, several security executives acknowledged the move is a good one, moving in the right direction, even though it may place a burden on resources, especially for smaller companies. But they also pointed out that for critical threats, including zero day threats, taking 15 days to implement a patch is still far too long. Forty-eight hours was generally agreed as the outside window for applying a patch against a critical threat.

However, not all agencies are able to implement patches. 2016 reports show some federal systems are running outdated versions of Windows, sometimes going back to Windows 3.1. The report showed federal agencies spend approximately 75% of their annual budget on maintaining these legacy systems. Once they get old enough, these legacy systems have operating systems that are so old they hit a point where they can’t be patched reliably against new or existing vulnerabilities.

Willy Leichter, VP of Marketing for Virsec, points out, “Patching critical vulnerabilities should always be a top priority, but arbitrary deadlines often have unintended consequences. There are three main reasons why servers often go unpatched – 1) negligence or poor processes, 2) lack of awareness of where vulnerable code is running, or 3) hesitancy to patch because it can break things in fragile, complex environments.

“The DHS order should help flush out the first two, but even in well run organizations patching can be much harder than it sounds. Today’s software stacks are complex and extremely interdependent. Even the best patches can cause conflicts, require updating platforms, or break integrations. Any patch has to be carefully vetted and tested before being deployed – this is why the average patch time for most enterprise servers is 3-6 months.”

Read full Cyber Security Directive Forces Federal Agencies to Patch Vulnerabilities Twice as Fast article.

White paper: Patching the Iron Tail Is Easier Said than Done article

Newsletter: Latest issue

Memory Protection product information
Critical Infrastructure product information

Blog: Prediction Series #3: Many companies aren’t “Minding the Gap” of their missing patches