Learning
As I look at the picture above I wonder if it represents a white-hat or black-hat operation. The environment looks to be a bit cobbled together and possibly made out of necessity. There are different brands, different functionality, different connection types, and many different devices all being used for a common purpose. There is even a soldering iron on the desk for those quick and easy logic board fixes. This is probably not unlike your school networks and your own support team desks - messy at times, but highly functional.
Disparate environments are common in technology. Hardware is purchased as available, not as planned. Vendor loyalty is sometimes not as important as cost savings and stewardship of taxpayer dollars. Software is vetted, but there are often dozens of titles to install. Even the best software vetting policies can't rule out the one time when a special software package was needed for one particular project and was never used again.
Our environments get cluttered quickly and things can be forgotten or ignored. Our priorities shift to the next big thing instead of system hardening the last big thing. We learned in the articles above that a common attack vector is to exploit well-known vulnerabilities for which a fix may already exist but hasn't been applied. Attackers rely on the fact that IT teams are overwhelmed with disparate environments and forgotten technologies.
Patching of software/hardware including operating systems, server appliances, virtual appliances, productivity software, BIOS, printers, Internet-of-things (IoT) devices, or embedded systems for cameras and security can help protect your environment from attackers. Of course, you know it's not all about Windows Updates or Chrome version numbers. Patching and applying updates can be a monotonous, unforgiving, unending, and grueling proposition, which is another reason why it might not be given the attention required in your environment.
Here are 5 tips that can help you achieve a more robust patching and updating posture as part of your cybersecurity program.
- Perform a Risk Assessment
A risk assessment doesn't have to be a formal process with paperwork, committees, and focus groups. It can simply be your team developing an inventory of software/hardware and brainstorming the impact of an attack on those items. Where should you focus your efforts first? What has the highest level of impact on the most users? Where are your oldest systems? Which are known to be the most vulnerable to existing attack methodologies? For example, now is the time to identify Windows 95/98/XP/Vista clients (known as an attackers paradise) and remove them. Focus your efforts on the highest risks first. Small wins can create a wave of excitement.
- Simplify the Environment
If your disparate environment has become overwhelming, then make the effort to simplify it. Take advantage of hardware refresh schedules and replace aging technologies. Budget for replacement as a cybersecurity priority. Don't be afraid to stop using and decommission certain hardware or software based on your security standards, even if it "it still works." Standardize on hardware manufacturers and system configurations. Remove older software titles that serve only a small population and encourage those users to adapt to mainstream titles. Create policies that enforce a culture of using current and supported hardware and software.
- Commit to the Task
We have all been there. We have all sat in agony and watched our Windows laptop apply update 32 of 129... for what seems like an hour. We have all decided that the latest patch for the security camera embedded software was probably not a critical need and we didn't have time for it. We have all thought at least once that we aren't a target, we have a good firewall, or an obscure patch wasn't going to make a difference anyway. Commitment is important when developing and maintaining a strong cybersecurity posture. Commitment to patching and updating is just as important as the commitment to user training, firewalls, or IDS/IPS. As a technology leader, you must lead the charge to make sure that systems and devices are patched to the best of your team's abilities.
-
Automate Everything
In general, whenever you can automate a process or task you should do so. Patching can be done through control software on your network. Whether Windows, Linux, Android, MacOS, iOS, or WatchOS, the patches can be automated and applied at your convenience. Obscure systems may still need manual attention, but the bulk of your client devices and system hardware/software can be patched during routine maintenance cycles or scheduled events. Third party solutions also exist to help with the patching of more than just operating systems.
- Inform Your Community
If your community of users doesn't know that you have a strong stance on patching and updating, you will need to inform them. They will need to know and be reminded of maintenance windows and scheduled downtime for services. They will need to understand their own responsibilities and set their expectations surrounding the inconveniences of loading updates to devices that might affect instructional time. Keep your users informed of your efforts. It not only serves to let them know when things may be unavailable, but also serves to give them confidence that you are fighting to keep them safe.
If you use these tips, your environment can be bolstered and ready to ward off the attackers that would use old tricks against you. As part of a defense in depth or layered approach to cybersecurity, your ability to maintain cyber resiliency is strengthened.
|