Patch management cannot be viewed as a low-level security to-do on a checklist. It serves a critical purpose for information security teams along with the organizations and end-users’ data they are responsible for protecting. Without patch management, software and systems become more of a constant risk than an asset. Apply it, and you can avoid the avoidable and all the business reputation dominos that come with it. The Equifax breach will be the hardest felt lesson in patch management to date with the unprecedented amount of PII data exposed. It stings even more because it was completely avoidable.
What other lessons can be gleaned from this latest incident?
- Patch management requires rapid response: The vulnerability identified in the breach, Apache Struts CVE-2017-5638, had a patch issued for it in March. The breach took place between May and July, meaning 60 days went by without any patch implemented. Time between an issued patch and installing it should be within a day or a week. And determining when to install should not be influenced by its impact on business disruption. All patches are important.
- Vulnerability scanning is not a quarterly PCI compliance activity: Any company dealing with credit card data for its business needs to comply with PCI DSS requirements. It is likely this vulnerability came up in Equifax’s quarterly vulnerability scan, an activity required to maintain compliance. But scanning should not be happening on a quarterly basis or be viewed as solely a PCI compliance activity. Scheduling recurring scans within defined scanning time-based “windows” on a weekly basis can ensure reassessments of previously known vulnerabilities and validation takes place, while identifying new, pre-existing or reintroduced vulnerabilities that need to be addressed.
- Know your scan scope: Vulnerability scanning is of little value if your team is not continually keeping track of the organization’s technology inventory and security controls. This leads to improper scan scopes. Equifax operates a sizeable number of websites that create a complex and constantly evolving inventory and security control list where an improper scan scope is a distinct possibility, preventing its security team from even knowing the Apache Struts CVE-2017-5638 vulnerability existed.
- Use the Common Vulnerability Scoring System (CVSS) to your advantage: The CVSS is a great scoring system for rating and triaging vulnerabilities when all scores are taken into consideration. Many organizations only look at the CVSS base score, which evaluates the vulnerability’s key attributes. However, it offers only a partial picture for decision makers. The temporal score (which looks at patch availability and if a known exploit exists) and the environmental score (which looks at the impact on the value of affected data) are equally important and need to be part of the broader assessment. The CVSS scores help inform decision making but teams need to remember that every vulnerability affects organizations differently based on their operations and infrastructure. It is important to also factor in subjective measures beyond the scores that account for business risks unique to the organization.
These four lessons outline key steps that can be executed by any security team. But the biggest lesson of all? The degree of success with these steps is dependent on effective communication and collaboration across business functions. InfoSec, IT, operations, and executive management need to play a collaborative role to ensure data and assets remain uncompromised no matter the industry.