Note that an IAVA is an Information Management Vulnerability Alert, which generally starts at the US Computer Emergency Response Team (CERT) level, and then is promulgated down to US Cyber Command and the Cyber Commands of the military service branches.
#MOST CRITICAL UPDATES FOR WINDOWS 7 PATCH#
The current objective for all patching in the DoD, according the Cybersecurity Discipline Implementation Plan, dated February 2016 is: “ All DoD information systems have current patches within 21 days of IAVA patch release.” In addition: “Systems with high risk security weaknesses that are over 120 days overdue will be removed from the network.” Upon examining all of these, I found that they actually provide varying advice on patching/update frequency – based on the criticality of the system, level of data being processed, or criticality/impact of the patches to be implemented. There is also doctrine on security controls (including patching /updates) in various guides such as the NIST SP 800-53 Risk Management Framework the DoD Cybersecurity Discipline Implementation Plan.
In fact, we used to joke that if you followed all of the STIG guidance, you would “brick” your system! There is, of course, always a tradeoff between system security and usability. The STIGs serve as the reference guides for all of DoD and represent what I would call “high assurance” best practices. The Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs), which are checklists for security hardening of information systems/software “that might otherwise be vulnerable to a malicious computer attacks.” These outline security best practices for a variety of technologies – e.g., Windows OS, networking devices, database, Web, etc. You would think the DoD would have a best practice in place for that! But when I researched this recently, I couldn’t find an Army or DoD reference to support this timeframe. Typically, whenever we assessed those Army systems, if they had any missing patches or antivirus updates for more than a week, we would fail them. I started in the 1990s with the Department of Defense (DoD) Information Technology Security Certification & Accreditation Process (DITSCAP), and then moved to the DoD Information Assurance Certification and Accreditation Process (DIACAP), and finally the Risk Management Framework (RMF) that is in use today. I probably did more than 500 of these on every type of system – from a small, rack-mounted tactical command & control server in the back of a Humvee to a 350,000-user wide area network in all 50 states. So, I hearkened back to the days when I was performing security audits for the Army. Patching Frequency Best Practices from DoD
#MOST CRITICAL UPDATES FOR WINDOWS 7 UPDATE#
If you go to a source such as the Center for Internet Security they talk about patching as a critical security control and say you need a formalized program of patch management to “regularly update all apps, software, and operating systems.” But they don’t say much about how or how often this should be done.
A client asked the other day for guidance on best practices regarding how often they ought to patch their systems. My immediate thought was “continuously.” However, most small to mid-sized enterprises don’t have the resources for that.
0 kommentar(er)
