Thursday, February 22, 2024

Patching The Vulnerabilities in Government Systems: Inside the New DHS Mandate

Software vulnerabilities and the need for patching have become a fact of life in the modern world. Everyone loves the capabilities provided by computers and the Internet, but they’re not perfect.

The simple fact is that software is written by humans, and humans make mistakes, so the software has bugs in it. And if those bugs are in systems that are critical to core business practices, they need to be addressed promptly.

Defensive systems like Web Application Firewalls (WAFs) are a huge force multiplier for organizations trying to manage their attack surface, but some vulnerabilities just have to be patched. And this isn’t true for just the private sector.

The government certainly has a presence on the Internet and uses software that could include dangerous vulnerabilities. In order to increase the security of government systems, the United States Department of Homeland Security (DHS) has issued patching guidance for US government agencies.

The State of Patching

Before getting into the details of the DHS mandate, it’s useful to understand why they even bothered. Patching seems like a pretty important thing to do, so, logically, organizations should be doing it anyway in order to minimize their potential exposure to attacks, data breaches, etc.

Unfortunately, most organizations are terrible at patching software vulnerabilities. In fact, most organizations take over a month to install patches for known vulnerabilities. Critical vulnerabilities (i.e., the ones that can be very bad) had an average time to patch (from the release of a patch to installation) of 34 days, while the average patch time for all vulnerabilities (regardless of severity) was 38 days.

The issue with this is that hackers don’t wait a month before trying to exploit a vulnerability. You’re often lucky if you get a week between notification of a vulnerability and the first attempts at exploitation (normally the delay is in hours). This gap between the response time of defenders and attackers can be the reason that an organization is breached.

But why are organizations so slow at patching software vulnerabilities? There are a variety of different reasons. One potential cause is compatibility. Some patches have the potential to break existing software running on a machine.

Performing the update may mean disabling certain functionality on a critical system. When making a decision between being insecure and being incapable of performing essential business functions, many organizations choose insecurity.

Another potential cause of delays in patching is limited manpower and contradictory priorities. The available cybersecurity talent is limited (there is a major skills gap in the industry), meaning that it is difficult for organizations to acquire and retain enough cybersecurity talent.

As a result, many departments are understaffed and need to prioritize their actions. When choosing between protecting the organization from current threats and patching vulnerabilities that are not being actively exploited, patching gets put on the back burner.

As a result, the state of patching in most industries is pretty poor. Patching is usually done in waves to minimize the operational impact, meaning that systems are left insecure for days or weeks until the next patch testing and deployment cycle.

New Rules for the Government

The United States Department of Homeland Security (DHS) has jurisdiction over US government agencies’ cybersecurity and has exercised that power in an attempt to decrease the time between the discovery of a vulnerability on government systems and it being patched. US government agencies now have 15 calendar days to fix “critical” vulnerabilities and 30 days to apply patches for “high” severity bugs.

If agencies are compliant with the mandate, this will cause a significant decrease in the time to patch these vulnerabilities (all of which are over 30 days). DHS plans to take an active role by contacting agencies at the 15-day mark if patches have not been applied and requiring an explanation for this failure.

Agencies can then provide an explanation, a description of how the vulnerability is being managed in the interim, and a plan for patching. If there is no plan to patch a certain vulnerability (i.e., due to compatibility issues), this is also an acceptable justification.

Keeping Systems Secure

The security of Internet-facing systems (webservers, email servers, etc.) is a priority for any organization’s cybersecurity defense strategy. Since most attackers start out outside an organization’s perimeter, the majority of the attacks against an organization’s network will be focused on these systems that are publicly accessible.

Guidance like the DHS mandate for government agencies is a good starting point when trying to decrease the number and impact of intrusions and data breaches. By defining a deadline, providing notifications, and forcing agencies to explain why certain systems are not patched “in time”, DHS is helping to decrease the time between patch creation and application while maintaining realistic expectations (since some systems cannot be patched).

However, simply decreasing the time from patch creation to deployment isn’t enough to protect an organization’s systems from attack. Even agencies that are completely compliant with DHS’s new mandate can be vulnerable to attack for up to 15 calendar days, which is plenty of time for an attacker to discover and exploit vulnerable systems.

Advanced Web Application Firewalls (WAFs) can help plug the holes left by vulnerabilities with their ability to perform virtual patching. Once one of these firewalls is aware of a certain vulnerability (which can be managed through automated updates), it can block all traffic intended to exploit the vulnerability.

This provides the best of both worlds, allowing organizations to secure their systems without rushing their patch testing and deployment operations.

You can follow us on Linkedin, Facebook, Twitter for daily Cybersecurity updates. You can also take the Best Cybersecurity courses online to keep your self-updated.


Latest articles

Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens

An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as...

US to Pay $15M for Info About Lockbit Ransomware Operator Data

In a significant move against cybercrime, the U.S. government has announced a bounty of...

Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware

Threat actors abuse Google Drive for several malicious activities due to its widespread use,...

Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000

In a startling incident underscoring the growing menace of cybercrime, a woman's Swiggy account...

Beware of VietCredCare Malware that Steals businesses’ Facebook Accounts

A new cybersecurity threat targeting Facebook advertisers in Vietnam, known as VietCredCare, has emerged....

Google Chrome 122 Update Addresses Critical Security Vulnerabilities

Google has recently unveiled Chrome 122, a significant milestone for the widely used web...

New Malicious PyPI Packages Use DLL Sideloading In A Supply Chain Attack

Researchers have discovered that threat actors have been using open-source platforms and codes for...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles