Federal agencies have their hands full identifying and fixing security vulnerabilities. As IT infrastructure grows and becomes more complex, it can be challenging keeping up with software glitches, flaws, or weaknesses across the expanding attack surface. What was once a small area to defend is now a vast environment of digital assets – on-premises, in the cloud, and remote/work-from-home offices.
Despite these challenges, the Department of Homeland Security (DHS) wants agencies to move faster to identify and fix vulnerabilities, cutting the time required for critical systems to be patched from 30 days to 15 days. This timeframe can be superseded by other mandates, such as the emergency directive issued by DHS in June this year requiring a Microsoft Windows vulnerability to be patched in just 24 hours.
With a shorter window to remediation, let’s look at four ways federal IT professionals can improve their cyber response.
- Quickly Identify High-Risk Systems
When a critical bug or vulnerability, such as the Microsoft “wormable” flaw, is discovered, it’s incumbent on IT teams to act quickly, especially given the prevalence of Windows servers in the federal government. But the size and complexity of federal IT infrastructures means discovering systems with potential vulnerabilities is a daunting and time-consuming process.
When time is of the essence, IT professionals can expedite the process and meet future DHS “quick fix” mandates by configuring scan profiles within their vulnerability scanning tools. Profiles can be set to limit probes only to potentially vulnerable Windows systems in the environment. This ensures only those potentially impacted systems are included in the scan, speeding the process significantly.
- Scan for Vulnerabilities Without System Impacts
Beyond responding to specific known vulnerabilities, IT teams must scan their environment on a continuous basis. This is no small feat. Security resources are often limited and scaling vulnerability scans across tens of thousands of systems – without incurring system performance or availability issues – is challenging.
To prevent system failure during routine day-to-day vulnerability scans, IT professionals should schedule their scans to occur at certain times such as outside business hours or during maintenance windows. They can also define how thorough or intrusive the scan should be – more intrusive scans can destabilize computing systems.
Another best practice is to run scans on specific segments of the network. If these systems remain stable during the vulnerability scan, then IT can move on to scanning other areas of the infrastructure. If an issue arises, a fix can be implemented and lessons learned applied to future scans.
- Automate Patching Where Possible
Because most breaches can be traced back to unpatched system vulnerabilities, once a vulnerability is discovered, patches must be quickly applied. Automated patch management can simplify many of the steps involved – from research and scheduling, to deployment and reporting – helping save time and making it easier to know which machines are patched and compliant. But for resource-constrained IT departments, the real value lies with patches applied automatically across several systems at once.
Despite its benefits, automation can be a double-edged sword. If a patch is applied automatically and causes an asset to crash, IT teams must step in to remediate the issue. Automation is important to make it make it possible to patch large numbers of systems in a short period of time. There is risk, however, that patches may not apply properly or could have an adverse effect on the system where the patch is applied. Thus, it can be a double-edged sword. IT Pros need to weigh the risk for each system or group of systems to determine how much automation they are willing to accept to avoid vulnerabilities that can lead to exploit and compromise. But if patches aren’t applied, and quickly, the system or devices are left vulnerable to exploits.
For this reason, IT teams should set up sandbox environments where they can test a patch on a small sampling of non-critical systems. If all is well, the patch can be deployed into the automated patch cycle.
- In a Work-at-Home World, Train Employees
Working remotely presents new challenges to patch management. Sticking to vigilant security policies becomes much harder when employees can simply bypass a software update notification that could protect their workstations from prying eyes on insecure Wi-Fi networks.
It’s important to educate employees about the risks of ignoring or postponing software updates. Each employee is a target for attack, and the longer a machine is unpatched, the greater the probability it will be exploited by a bad actor seeking to infiltrate the agency network and access other systems.
Now Is a Great Time to Evaluate Vulnerability Management Processes
As federal IT infrastructures grow in scale and complexity, and COVID-19 shifts teams to a remote work model, agencies are doing everything they can to keep systems up to date, secure, and available. But now is also a great time to re-evaluate and introduce process improvements in vulnerability and patch management. While these uncertain times have introduced challenges and constraints, they also present opportunities for agencies to reduce risk exposure and keep pace with vulnerability remediation directives.
