Back to Basics – Asset Management, Software Vulnerability Management and Patching
by Kathleen Grote, Information Security Officer
Our Information Security Officer, Kathleen Grote, is back to provide an update on how to protect your institution’s software and other information technology assets.
Vulnerability management and patching are required processes and considered basic components of a well-managed security program. According the National Institute of Standards and Technology (NIST), “A software vulnerability is caused by one or more known defects that have been discovered in software, and that can be exploited to affect an adverse security or privacy outcome. Vulnerable software is software in use on a system that has a software vulnerability but has not yet been patched or otherwise mitigated.”
What steps should you consider to ensure your systems’ safety? A well-managed security program has repeatable vulnerability management and patching processes in place, with trends noted and reported up the leadership chain.
Vulnerability management could be accomplished in several ways, but the most reliable method is to use an automation tool. Configure the tool to regularly scan all software within an organization’s control, such as operating systems, productivity software, utilities, IT and project management software, Internet of Things (IoT) devices, etc.
Using an automation tool helps ensure the current scan detects the latest release of software versions installed and in use. Scanning an entire network may take several hours, depending on the number of devices and systems. The tool should produce output that identifies which system(s) are running older, vulnerable versions of each installed software application. The tool should also provide a reference to the software patch needed to remediate any security vulnerability.
It is important to prioritize efforts to remediate reported vulnerabilities by patching systems presenting the highest risks to the organization. Risk factors to consider include the Common Vulnerability Scoring System (CVSS) rating of each reported vulnerability, if the system is externally accessible, the likelihood of exploitation, the classification of data hosted on the system, etc.
The next repeatable process is patching. Software companies usually support a “life-cycle development” process for commercially sold software. Some software development companies run a “bounty” program where “white-hat hackers” are invited to discover security weaknesses and report them to the software development company with the expectation of compensation.
A responsible software development company will develop a patch to fix the security vulnerability and perform regression testing to ensure the software still works as intended after the patch is applied. The patch is then made available to users of the software. The user (that’s you!) should install the patch on a test system in their own test environment, run the software through its paces to ensure the software continues to work as expected, then, and only then, proceed with installing the patch on production systems. The time between test and production installation will depend on the severity of the security issue(s) and the results of testing in your environment. Time-to-patch could be one metric used to assure leadership that your security processes are repeatable and effective.
FHLBank Topeka uses an automated scanning tool, reviews the output with an internal working group and metrics are reported to leadership.
For more information on what you can do to protect your IT assets, see these publications:
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8011-4.pdf
https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
