Cybersecurity - New regulatory requirements in patch management
Cybersecurity is a major issue in the financial sector and a top priority for regulators. Regulatory pressure intensified in May 2017 with the publication of CSSF Circular 17/655, which requires banks and investment firms to strengthen their controls in the field of patch management.
This comes as no surprise considering the recent massive outbreaks of ransomware and malware—WannaCry on 12 May 2017 and NotPetya (or Nyetna) on 27 June 2017—both leveraged a vulnerability in Microsoft Windows computers which had been fixed by Microsoft back in mid-March 2017.
As per NIST, patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. Patches correct problems in software, including security vulnerabilities. Patch management is commonly required by security frameworks or standards, such as CIS Critical Security Controls for Effective Cyber Defense, ISO 27001 Annex A, PCI DSS, or NIST Cyber Security Framework.
What are the new requirements?
Circular 17/655 requires banks and investment firms to implement (i) a security monitoring process allowing to be informed promptly of new vulnerabilities and (ii) a patch management procedure allowing timely correction of significant vulnerabilities.
In addition, the internal audit function shall cover these controls as part of their multi-year audit plan and in particular, report any failure in the implementation of a notably known patch and document the reasons for the failure in an audit point.
Where do you stand?
Understanding the current patch management posture of your organization begins with answering important questions:
1. Have we assigned clear roles & responsibilities?
Patch management roles and responsibilities should be specifically defined and formally assigned to one or more employees within your IT and Information Security functions. This becomes particularly critical if your organization has outsourced some functions.
2. Do we know our IT assets?
Effective patch management requires accurate and current knowledge of what software is running in your environment. An incomplete asset inventory will result in a security monitoring process based on an incomplete scope, which will be prone to miss new vulnerabilities affecting your environment. Your inventory should include contextual information on assets, such as their potential exposure to public networks, in order to support risk-based decisions.
3. What are the capabilities of our patch management technology?
Patch management should be supported by technology enabling process automation. Some common capabilities include:
- Identifying vulnerable versions of software that are installed
- Identifying which patches are needed
- Installing patches using a phased approach
- Verifying installation
The comfort brought by software tooling should not, however, lead your organization to neglect alternative architectures, which may be more challenging to patch (e.g. mobile devices, appliances, unmanaged hosts, firmware, etc.).
4. What are the inputs to our security monitoring process?
Your security monitoring process should rely on reputable outside sources for security vulnerability information, such as vendor Web sites or mailing lists. Cyber threat intelligence should be considered in order to prioritize patch deployment based on relevant vulnerabilities being exploited in the wild.
5. Do we measure effectiveness and efficiency?
Your organization should implement and use appropriate measures to steer its patch management processes, e.g.:
- How often are asset inventories updated?
- What is the average time to apply patches to critical hosts?
- What percentage of hosts are fully patched at any given time?