How CISA’s New Patching Directive Can Drive Cyber Hygiene

In an ideal world, governments would lead from the front on cybersecurity. Big-name breaches across federal, state, and local governments over the years demonstrate that cybersecurity best practices aren’t being driven by the public sector.

However, things now seem to be changing with the Cybersecurity and Infrastructure Security Agency’s (CISA) new Binding Operational Directive (BOD), which will require federal agencies to patch hundreds of known vulnerabilities.

As best practices go, patching is fundamental to effective cybersecurity. The hope is that with this new push, the Biden administration can light a path towards cyber hygiene that will make organizations across the country more secure.

A directive for all organizations

The directive applies to all software and hardware on Internet- and non-Internet-facing IT systems, whether managed in-house or by a third party. It mandates that federal agencies patch a list of nearly 300 vulnerabilities that present a “significant risk” to networks.

Agencies have two weeks to close the vulnerabilities published in 2021 and six months for older Common Vulnerabilities and Exposures (CVEs) — some of which date back to 2014. Importantly, the BOD also establishes a CISA-managed catalog of “known exploited vulnerabilities,” which will be regularly updated and extends the requirement for agencies to fix them.

The move is long overdue, given that government watchdogs have highlighted deficiencies in federal patching programs for many years. It will be warmly welcomed in security circles, and less so in the cybercrime underground and hacking units of hostile nations.

The initiative can be viewed as part of the Biden administration’s rigorous approach to cyber risk management. This follows a widely praised Executive Order in May, which mandated the implementation of zero trust architecture, enhanced intelligence sharing, encryption, endpoint detection and response among agencies, and improved supplier scrutiny across government.

However, CISA director Jen Easterly has been clear: this BOD is not just a government play. She wants all organizations to adopt the directive and prioritize the vulnerabilities listed in the catalog. That’s absolutely the right message to send out.

The problem with unpatched vulnerabilities

The cybersecurity industry is often guilty of overcomplicating things. However, in the case of software vulnerabilities, the message is unequivocal: patch, patch, patch.

Software vulnerabilities have been at the heart of some of the biggest data breaches in history. And this year, exploits have empowered threat actors to ramp up malicious activity to almost unprecedented levels — from the outrageous SolarWinds campaign to the widespread exploitation of Exchange server bugs earlier in the year.

Security flaws don’t just arm nation-state operatives; they’re also a top-three attack vector for ransomware, driving a 148% increase in attacks year-over-year and costing organizations billions in the process. The bad news is the sheer scale of the threat. In an ideal world, organizations would patch everything as soon as vendor updates become available. The size of the corporate attack surface is too great and patch volumes are already unmanageable.

There were over 18,100 CVEs released last year alone, more than any year previously. That amounts to more than 50 per day. A majority were classed as low complexity and required no user interaction to exploit. CIOs and CISOs running legacy IT systems may be even more restricted in what they can upgrade for fear of breaking mission-critical systems and rendering key applications unusable.

Improved cyber hygiene

So how can organizations practically follow Easterly’s advice to minimize cyber risk? Most breaches result from lapses we make — failing to understand which endpoints are unpatched and misconfigured, and which are connected to critical systems and data.

Given the complexity and dynamic nature of modern IT environments — especially cloud VMs and containers — keeping track of everything is increasingly challenging. Threat actors are adept at probing for and exploiting these mistakes.

This is where cyber hygiene comes in: offering a best practice approach to identify where risks are most pronounced and then fixing them. So how do you get there? Visibility is the first crucial step: you can’t protect what you can’t see.

Unfortunately, research shows that 94% of global CIOs have discovered endpoints in their organization that they were previously unaware of. Once you know what you have, it’s time to scan for vulnerabilities and configuration issues — prioritizing them by risk to the organization. This will vary from one organization to the next.

Then you need to remediate quickly and at scale, something that has traditionally been a challenge for large organizations. Where systems can’t easily be patched, endpoints can be shielded with security tools and entry points to networks must be monitored to keep hackers at bay.

It’s important to remember that this shouldn’t be a one-off process. IT leaders must continually scan and fix their environment because it’s in a state of constant flux, with changes potentially exposing new attack vectors every second.

Let’s be clear: prompt patching isn’t a panacea. Consider integrating vulnerability management into a zero-trust strategy for a more comprehensive risk management approach. Cyber hygiene isn’t about reaching a state of 100% security. That’s impossible. It’s about raising the bar as high as you can to deter adversaries. And on that note, CISA’s directive is a great step in the right direction.