Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

NIST revamps aging enterprise patch management guidance

The US National Institute of Standards and Technology (NIST) has overhauled its enterprise patch management guidance for the first time in nearly a decade.

Whereas the previous, 2013 iteration focused on helping organizations to deploy patch management technologies, the new edition centers on developing strategies for patch management.

Put together by NIST’s National Cybersecurity Center of Excellence (NCCoE), NIST Special Publication (SP) 800-40 Revision 4 “is based on the assumption that […] organizations would benefit more from rethinking their patch management planning than their patch management technology”.

Nevertheless, NIST has also issued a companion publication demonstrating how commercial tools can support enterprises in implementing its revised guidance.

‘Simplify and operationalize’

The new, strategy-focused guidance “discusses common factors that affect enterprise patch management and recommends creating an enterprise strategy to simplify and operationalize patching while also improving reduction of risk”.

In doing so, the guidance sets out to bridge the “divide between business/mission owners and security/technology management about the value of patching”, according to NIST.

The companion publication, NIST SP 1800-31, emerged from a collaboration between NCCoE and some of the biggest providers of cybersecurity technologies.

Featuring contributions from the likes of Cisco, IBM, and Microsoft, it outlines how commercial technologies can be deployed to “implement the inventory and patching capabilities organizations need to handle both routine and emergency patching situations”, as well as “implement temporary mitigations, isolation methods, or other alternatives to patching”.

The guidance also recommends “security practices for protecting the patch management systems themselves”.

Equifax lesson

NIST frames the patching of security vulnerabilities in firmware, operating systems, or applications as a necessary “cost of doing business”.

When neglect of patch management results in serious compromises, these costs are undoubtedly dwarfed by the financial and reputational costs attendant to system downtime, data breaches, and other adverse outcomes.

No organization is more acutely aware of this fact than Equifax, which recently finalized a settlement for the victims of a 2017 data breach that has cost the credit reporting agency years of grief and millions of dollars so far.

The breach, which exposed the personal information of more than 163 million individuals, arose from an Apache Struts vulnerability for which a patch had been available for two months prior to its exploitation by cybercriminals.

Faster attackers

Whether through inefficiency, worries about system availability, or various other reasons, many enterprises clearly remain slow to patch systems – even as attackers continue to get faster at exploiting vulnerabilities.

A recent study by cybersecurity firm Rapid7, for instance, found that the average time to exploitation of known vulnerabilities had, year on year, plummeted from 42 to 12 days.

Advertisement. Scroll to continue reading.

With leading technology vendors demonstrating significant improvements in rolling out patches, NIST will hope the update to its patch management guidance will encourage enterprises to become more nimble too.

Source: https://portswigger.net/daily-swig/nist-revamps-aging-enterprise-patch-management-guidance

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO