In November 2021, the Biden administration released Binding Operating Instructions This creates two primary tools to protect federal data and systems from cyberattacks. First, it establishes a formal catalog of known exploited critical vulnerabilities managed by the Agency for Cybersecurity and Infrastructure Security; and second, it establishes remediation requirements for all federal agencies (and contractors). The new directive aims to protect government agencies from cyber risks that could lead to major intrusions into their networks and systems. It turns out that federal agencies, like their private counterparts, face significant challenges in patch management.
The order came at just the right time. The past 12 to 24 months have seen a rapid increase in sophisticated attacks by threat actors that are well-funded and motivated to leak sensitive information. These attacks affect all of our interconnected systems in the private and public sectors; no one is immune. Our threat research Threat actors have been shown to rapidly exploit known vulnerabilities, often launching attacks within 72 hours of a patch being released. Unfortunately, few entities have the resources to patch quickly.
The real concern, however, is how far behind many organizations, public and private, are in patch management procedures. We regularly find known vulnerabilities in our customers’ business-critical applications that have been around for years and remain unpatched. The directive aims to change that, ensuring agencies and their third-party vendors have plans in place to find and fix these known vulnerabilities.
Several studies have shown that Quickly and efficiently detect vulnerabilities and prioritize correct patches is the biggest challenge. The directive aims to provide support to federal agencies by establishing a prioritized vulnerability catalog. However, the responsibility for developing remediation plans and processes remains with individual federal agencies.
Nonetheless, we are pleased to see that the Biden administration has taken a critical step toward improving America’s cybersecurity posture, which in turn improves the companies that serve the federal government. While bold, it is still only the first step in minimizing and mitigating critical systemic risk used by the U.S. government and its private industry partners. The measure’s requirements simply enforce standard security practices that we already know about.
We should take this opportunity to explore what other cybersecurity best practices are often challenging for organizations.We have seen that lax standard security practices can lead to disastrous result. The following are examples of security procedures that will have a significant impact on the security posture of the United States and its private partners.
Identify and mitigate third-party risks
An organization’s security depends on its weakest link. Because critical applications are at the heart of an organization’s operations, they are connected not only to multiple internal systems, but also to third parties. Because these applications operate across multiple entities, organizations need to document processes to assess third-party risk. Therefore, any vulnerability management program must be extended to connected systems and third parties to gain a more accurate picture of risk.
Start by evaluating all third-party vendors. Get a clear picture of what data they have access to and how it will be used.
Establish continuous monitoring controls
As we saw with the SolarWinds attack, sometimes routine software updates can have significant cybersecurity implications for federal agencies and private industry. While strengthening your defenses is important, you also have to make sure that the fox has not yet entered the coop.
Implementing a system to monitor your critical applications in real-time can help identify threats as they occur, alert the right rapid response teams to intervene before they become a crisis, and ultimately prevent threat actors from exposing sensitive data.
Better cybersecurity education for employees
Repeated research has shown that phishing attacks and social engineering are the two most common ways to compromise organizations and networks. (The other is exploiting software bugs!) Often people make simple mistakes when they’re pressed for time or just trying to get their job done. They click on phishing links or links that contain malware.
Of all attack vectors, this is a highly preventable attack vector by helping employees understand how they were targeted.
Back to Basics
Directives on patch management will force agencies and their partners to address known vulnerabilities in their systems, something they should always do. A Biden administration’s directive would seek to largely cut off this attack vector. Since the directive applies to all software on federal information systems, whether managed on agency premises or hosted by a third-party representative agency, it will have broad implications.
The Biden administration has taken some bold steps to increase federal awareness and accountability of software vulnerabilities that put our government and society at risk. We look forward to seeing the federal government begin to institutionalize other security best practices. It is well known that actions taken at the federal level can have knock-on effects on the private sector downstream. If the federal government takes the lead in this regard, its impact and impact on the public and private sectors will be profound, leading to better security for our most critical systems now and in the future.
