Patch management: It's not sexy, but it can keep you secure

 

Connecting state and local government leaders

Former US-CERT director Mischel Kwon says that responding to real attacks and paying attention to the drudge work of patch and vulnerability management can go a long way toward improving government IT system security.

When it comes to defending information systems, there is no silver bullet that will save administrators and security officials from the day-to-day work of managing system vulnerabilities and monitoring network activity.


More on this topic

Agencies re-engineer their networks to comply with Trusted Internet Connection initiative

Leaders call for bolder security strategy


“It’s not sexy,” said Mischel Kwon, who until recently was director of the U.S. Computer Emergency Readiness Team (US-CERT). “But the majority of our problems today are patchable.”

Even with the growing number of zero-day attacks and increasingly sophisticated threats built around social engineering, the existing base of known vulnerabilities for which patches are available still presents the largest and most frequently targeted attack surface. Reactive security standards that would require real-time network monitoring and response to attacks could help eliminate this soft underbelly of government networks, Kwon said.

Kwon, who also has been deputy director for IT security staff at the Justice Department, where she stood up the Justice Security Operations Center and was the lead for the Trusted Internet Connection, recently returned to the private sector as vice president of public security solutions at RSA, the Security Division of EMC. She spoke bluntly last week about the challenges of government information security, calling inadequately funded IT programs that do not incorporate real-world threat response “just yadda-yadda. That’s a lot of what we do.”

Unfortunately, these apparently simple security solutions to IT security are not practical within current government architectures and resources, she said.

“There is no single federal civil [wireless area network],” she said. There are more than 100 executive branch agencies with their own networks. The 12 Cabinet-level departments alone have the nation’s largest IT budgets, and each has at least 20 subagencies, many of them with their own networks. “It is very difficult to manage networks” in this environment.

The problem is compounded by the segregation of duties and budgets within enterprises, she added. Agency critical missions are being moved onto IT platforms, but those responsible for the missions are not responsible for IT security. Systems are not being watched for threats to the mission and infrastructure, and are not being refreshed and reauthorized as needed to respond to these threats.

The good news is that things are beginning to change, Kwon said. Agencies such as her old home, Justice, the State Department, IRS and the Federal Aviation Administration are consolidating WANs and setting up security operations centers.

At State, “they’re trying to take [the Federal Information Security Management Act] and make it actionable,” she said. It constructed a WAN with limited and trusted Internet connections before TIC was mandated. A department SOC does real-time monitoring of systems and works with the CIO to understand what is happening and to adjust security controls in response to attacks in a continuous life cycle of monitoring and response.

Another positive trend she sees is the government’s embracing of virtualization. Patching is complex and expensive, and putting resources on fewer pieces of hardware can help to simplify patching and configuration management through the life cycle of the system.

“The bad news is, they are not getting money for this,” Kwon said. Agencies have to ask Congress for additional appropriations to help make their systems more security-friendly. Here again, the segregation of business and IT missions makes adequate baseline funding more difficult to achieve.

Although government security awareness programs are improving, this is not a solution, she said. “We are making the same fundamental mistakes over and over again, relying on the user to fix things.” Security has to be baked into the IT architecture and its management.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.