I can’t believe that the end of 2021 is already in sight and looking back I have to say that we have seen some interesting events. If I had to characterize it from a security standpoint, I would say this is the year of Attacks on the supply chain. Before January, most of us had rarely heard the term, but then Solarwinds, Kaseya, and others were on the news and we’d heard it all year round.
Noticeably closer to home that we all had to deal with Print Nightmare, including the vulnerabilities and the series of software updates and configuration changes required to address them. The news has subsided, but it was a hot topic of discussion from June to September. Let’s hope for a few quiet weeks to end the year over the holidays.
I mentioned last month that the Cybersecurity and Infrastructure Security Agency released a list of around 200 vulnerabilities that civil federal agencies need to fix in just two short weeks. this perform, Part of Binding company guidelines 22-01: Reduction of the significant risk of known exploited vulnerabilities, has been expanded and now provides for additional deadlines until May 2022, in which the added vulnerabilities must be remedied.
But this directive requires much more than just updating the systems to fix the vulnerabilities. To paraphrase the guideline, the authorities concerned must also have guidelines in place to a) establish a process to manage the vulnerabilities, b) assign staff to manage this process, c) identify measures to carry out the process, d) validate and Enforcing the process; and e) providing tracking and reporting on the process.
While there are older vulnerabilities from 2014, most of these vulnerabilities date from 2020-2021, and updating an entire organization can take months of planning and execution if there is no efficient patch management infrastructure in place.
Two of the best sources of information for such an infrastructure can be found at the Center for Information Security (CIS) 18 Critical Security Controls and the NIST cybersecurity framework. These documents can help you combine policies, procedures, and the software of your choice into a comprehensive security program that is tailored to your business. You can also choose to tactically tackle a smaller function like patch and remediation and slowly add other aspects like account management, data recovery, disaster recovery, and so on.
Every organization is unique, but so are the infrastructures recommended by CIS and NIST provide a common set of definitions and a comprehensive set of requirements to operate on. Assuming we have a few quiet weeks after Patch Tuesday, take a moment to benchmark your program against these and see how you fare. There may be room for improvement that you haven’t thought of before.
I expect a very light patch Tuesday, as it’s already mid-December and many vendors have already released their updates for the month.
December 2021 Patch Tuesday forecast
I wish everyone a Merry Christmas and hope that you can finally have a good time with relatives and friends. Be sure!
This content was originally published here.