US government agencies must speed up their patching game, according to new rules from the Department of Homeland Security – and you should too. Their new directive makes it clear: Agencies must patch “critical” software vulnerabilities in 15 days and the “high” ones within 30 days.
That accelerates the deadline from the previous 30-day limit for critical vulnerabilities – and no time limit existed for those other vulnerabilities.
The goal of the new directive is to sharply reduce the time window between when a new zero-day vulnerability is discovered and when a patch is available and installed to fix it. This is the free-for-all time when devices can be protected but are not due to owner or system administrator not getting the prepared software patch installed.
The enforcement system for this is the DHS’ own system for scanning and checking the status of software installed on agency networks. Once the Cyber Hygiene system detects a software flaw, it starts sending a series of alerts to the agency and its IT department. If the agency fails to respond, the warnings escalate and could end up in a penalty for the relevant CIO or CISO.
Keeping slow and old scores with patches
While the 15-day deadline is a 100% improvement, there are two catches for the new guidelines. First, 15 days is a long, long time in cyberspace. In the event of a serious vulnerability which is getting actively exploited in the wild – a lot of damage can be done in this time. Second, the DHS will use the older system for scoring vulnerabilities – the CVSS version 2. It is a bit less strict on the criteria than the newer CVSS 3 system. All-in-all, it is a good step forward.
Vulnerabilities make me WannaCry
This directive comes on the two-year anniversary WannaCry – a ransomware that put the Eternal Blue, exploit from NSA’s box of tricks, to some pretty nefarious uses. The most ironic aspect to the spread of WannaCry was that a patch to the Eternal Blue vulnerability was already available when the ransomware attack went viral.
“I cannot stress how utterly important it is to have your system up to date,” said Oscar Anduiza, malware analyst at Avira during the outbreak. “In a perfect world where everyone had installed this patch, an attack like this would have been unthinkable.”
But happen it did … and it could happen again. Both then and now, patching your device is one of the most basic measures a person and an organization can do to protect themselves from malware. Speed and consistency in updating are essential security habits.
As the DHS has now mandated – update faster. And if you don’t want to do it manually, get a good updater that will do it automatically for you like the Avira Updater Pro.