Do you remember the series of high-profile infrastructure attacks that occurred not so long ago this year? Well, now the United States government is taking matters into its own hands by ordering the patching of various vulnerabilities in affected systems. It’s a massive effort to thwart hackers and other cyberthreats from taking root in vulnerable systems.
This directive was issued by the Cybersecurity and Infrastructure Security Agency (CISA), and it has due dates ranging from November of 2021 all the way to May of 2022. CISA is pushing for all federal agencies and organizations to resolve a certain series of known, exploited vulnerabilities during this timeframe, with some notable exceptions for national security-related infrastructures.
This catalog of known, exploited vulnerabilities can be found on CISA’s website. The catalog includes all sorts of information on each known vulnerability, and all of them (around 300 or so) are believed to pose some sort of risk to the federal government. This catalog also contains links to the NIST database for guidance on how to apply patches and resolve these vulnerabilities.
This is a massive undertaking and one that will inevitably lead to some confusion as patches are deployed and administered—especially since each of the departments are responsible for deploying their own updates and are only accountable to CISA. That said, CISA is putting some pressure on these organizations to meet specific objectives and requirements within a set amount of time.
The timeline for deploying these patches and updates varies, but within 60 days, agencies must review and update their policies on vulnerability management. These policies and procedures must then be furnished upon request. Agencies must also have a policy in place for deploying the directive from CISA, a process that is incredibly involved. Organizations will have to identify who is responsible for what, as well as how they plan to track and report on the implementation process.
Patch management can be difficult for governments, but it’s even more challenging for small businesses that don’t have the seemingly limitless spending power and other resources afforded to larger organizations and enterprises. Instead of resolving issues that need to be resolved, SMBs tend to get around to patching things as they have the time and manpower to do so. This is not the correct approach, as every day you wait to patch vulnerabilities on your system is another day that a hacker could exploit them.
Horne & Benik can make the patch implementation process easy. We can automatically or remotely deploy patches and security updates to your organization’s hardware and software solutions without an on-site visit. This makes our services so easy and convenient that you’ll never consider ignoring a patch or security warning again.
To learn more about our security services, reach out to Horne & Benik at (603) 499-4400.