The Cybersecurity and Infrastructure Security Agency rolled out its first binding operation directive (BOD) under Director Jen Easterly on Wednesday. While the BOD is for patch management at civilian federal agencies, CISA made its CVE catalog available to everyone.
Organizations with limited visibility over their assets sometimes "don't feel that the threat is clear and immediate," and delay patches, Aviad Hasnis, CTO of Cynet, said via email. "Bottom line: they just don't do it."
It's when companies know bad actors are rapidly exploiting vulnerabilities that they rush to update. "The priority to install security updates is greatly enhanced because of the fear," Hasnis said.
With the hopes that the private sector will follow along with agencies, the catalog is a shared tool to boost overall U.S. resilience. While it likely won't overhaul corporate patch management policies, it could at least give CISOs a necessary tool in the boardroom and concrete recommendation for prioritization.
"CISOs now have an independent validator to justify" resource requests, said Robert Cattanach, partner at Dorsey & Whitney. Companies could be subject to claims of inadequate security by investors, consumers, or legislators if an incident occurs after CISA posts a CVE.
The catalog includes 291 CVEs, many of which are from high profile compromises this year. But it's not exhaustive — companies could have CVEs they need to manage based on their infrastructure.
Ninety-nine of the 291 CVEs CISA catalogued have a patch due date of Nov. 17, for federal civilian agencies. May 3, 2022 is the next due date for 175 CVEs, and the remaining CVEs have already passed their update due dates — ranging from January 2020 to July 2021.
"This could be a two-edged sword: It helps companies prioritize, but it could also create the unintended consequence of a de facto standard that could be used against them if they fail to implement patches listed in the catalog," Cattanach said.
"CISOs now have a clear benchmark for what the floor of their patch management standard needs to be," he said.
The agency is taking a new approach to vulnerability remediation — it steps away from traditional common vulnerability scoring system (CVSS) to characterize vulnerabilities across any organization or sector. The CVSS scale is limited in nature, because scores are based on a vulnerability's known information — data which vendors can limit in disclosure.
If vendors don't provide details about a vulnerability, the National Vulnerability Database "will score that vulnerability as a 10.0," or the highest rating, according to the National Institute of Standards and Technology (NIST). With such an approach, companies could prioritize updates less critical than others.
For CISA to add a new vulnerability to its catalog, it has undergo an executive level CISA review and meet three standards:
- Have an assigned common vulnerabilities and exposures (CVE) identification
- Have evidence bad actors are actively exploiting a vulnerability
- Have already issued an update for the vulnerability
The move away from pure CVSS "should really simplify the process for organizations," said Chad Hoffman, COO of Analyst1, a threat intelligence company, and former Department of Defense threat intelligence analyst. "The CVSS was cumbersome to use, and although it provided some clarity, it was also just one aspect that analysts could use to leverage what to prioritize."
CISA is encouraging private entities and local governments to monitor the catalog, though its usefulness will depend on a company's resources, current patch management system, and ability to keep pace with mounting vulnerabilities.
"Overall, this probably won't change much in how companies patch but rather give beneficial information on what organizations should prioritize," said Jim Bowers, security architect at TBI Inc.
Timely patching, in coordination with federal agencies, could be the next area the government works on incentivization. Unless mandated, the government has to focus on what it can offer companies in exchange for practicing preventative measures.
"The due date is a very nice touch," said Hasnis. But "if a vulnerability is already exploited in the wild, having a due date which is more than a few hours in the future can be futile," he said. There will always be vulnerabilities that show no proof of exploitation, one of CISA's requirements for the catalog.
The pandemic already forced security and IT departments to rethink their priorities beyond patching, which means the catalog may not be as effective as intended, according to Bowers, though it will provide a more focused approach. CISA is giving organizations the opportunity to sign up for notifications for when a new exploitable CVE is added to the catalog, so companies "will need to figure out how often to check it and how to integrate it," Bowers said.
Cattanach agreed — The catalog will supplement Microsoft's Patch Tuesday, for example.
Even with guaranteed weekly patch rollouts, "not everyone can implement all recommendations immediately," he said. "This will provide another metric for those companies with limited resources" to take care of the most discernible threats to their organization, which likely target small- to medium-sized businesses.
CISA reccomends organizations apply updates as instructed by the vendor for each CVE in the catalog, and links to NIST's guide of the respective vulnerability. Enterprises will find the catalog a useful tool as it will provide them with faster information, according to Hoffman. But the challenge will be how a company aggregates and organizes the information in an actionable way, he said.
"Mature organizations should find the value of this information quicker, but the organizations that don't have mature operations, it will take some time for them to absorb and take action," Hoffman said.
The due dates are not requirements for companies, like they are for agencies. But the public nature of the catalog could incentivize threat actors to hasten their pace; If bad actors know when patches are to be due, they may work faster to exploit a target.
"Think of this as whack-a-mole on steroids. The cadence of vulnerability identification and exploitation by threat actors, and then preventive action by targets, will be much faster," said Cattanach.