TechRepublic: US government orders federal agencies to patch 100s of vulnerabilities
On November 4, 2021, NetSPI Managing Director Nabil Hannan was featured in an article by TechRepublic:
In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022. In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA.
The directive applies to all software and hardware located on the premises of federal agencies or hosted by third parties on behalf of an agency. The only products that seem to be exempt are those defined as national security systems as well as certain systems operated by the Department of Defense or the Intelligence Community.
All agencies are being asked to work with CISA’s catalog, which currently lists almost 300 known security vulnerabilities with links to information on how to patch them and due dates by when they should be patched.
…
Within 60 days, agencies must review and update their vulnerability management policies and procedures and provide copies of them if requested. Agencies must set up a process by which it can patch the security flaws identified by CISA, which means assigning roles and responsibilities, establishing internal tracking and reporting and validating when the vulnerabilities have been patched.
However, patch management can still be a tricky process, requiring the proper time and people to test and deploy each patch. To help in that area, the federal government needs to provide further guidance beyond the new directive.
“This directive focuses on patching systems to meet the upgrades provided by vendors, and while this may seem like a simple task, many government organizations struggle to develop the necessary patch management programs that will keep their software and infrastructure fully supported and patched on an ongoing basis,” said Nabil Hannan, managing director of vulnerability management firm NetSPI.
“To remediate this, the Biden administration should develop specific guidelines on how to build and manage these systems, as well as directives on how to properly test for security issues on an ongoing basis,” Hannan added. “This additional support will create a stronger security posture across government networks that will protect against evolving adversary threats, instead of just providing an immediate, temporary fix to the problem at hand.”
Read the full TechRepublic article here: https://www.techrepublic.com/article/us-government-orders-federal-agencies-to-patch-100s-of-vulnerabilities/