CISA has issued a decision tree methodology that can be adopted by healthcare organizations to help them develop an efficient and effective vulnerability management program.
The Importance of an Efficient Patch Management Program
When it comes to vulnerability management, the best practice is to patch promptly. When software updates and patches are released, they should be applied as soon as possible to prevent bad actors from exploiting the flaws. In practice, promptly patching all vulnerabilities can be a major challenge due to the sheer number of patches and software updates that are being released, and nor is it wise, as vulnerabilities are not all equal. Some are much more likely to be exploited than others and the impact of the successful exploitation of vulnerabilities can vary considerably. When it comes to vulnerability management, IT teams need to prioritize patching and deal with critical and actively exploited vulnerabilities first.
Healthcare organizations with mature vulnerability management programs are more likely to have efficient processes for vulnerability management. They will assess the severity of each vulnerability, the impact exploitation of the vulnerability will have, whether the vulnerability is being actively exploited or if a proof-of-concept(PoC) exploit is in the public domain, and therefore determine the likelihood of a vulnerability being exploited. After assessing each vulnerability, they can then effectively prioritize patching. Smaller healthcare organizations may struggle with assessing and prioritizing patching and the consequences of getting things wrong can be severe. Important updates may be missed, which leaves the door wide open for hackers.
A Decision Tree Method for Assessing and Remediating Software Vulnerabilities
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance to help organizations prioritize patching and shared a Stakeholder-Specific Vulnerability Categorization (SSVC) vulnerability management methodology that can be adopted to ensure vulnerabilities are accurately assessed, allowing remediation efforts to be prioritized
CISA Executive Assistant Director (EAD) Eric Goldstein explained in a recent blog post that there are three key steps needed to advance the vulnerability management ecosystem. They are:
1) To introduce greater automation into vulnerability management.
2) To make it easier for organizations to understand whether a given product is impacted by a vulnerability through widespread adoption of the Vulnerability Exploitability eXchange (VEX).
3) To help organizations more effectively prioritize vulnerability management resources through the use of SSVC, including prioritizing vulnerabilities based on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The SSVC system was developed by CISA and the Software Engineering Institute (SEI) at Carnegie Mellon University, with CISA then developing its own custom version of the SSVC for assessing and addressing vulnerabilities that affect government and critical infrastructure organizations.
The SSVC can be used by organizations to assess vulnerabilities based on five values: The exploitation status (is it currently being exploited), the technical impact (how serious is the vulnerability), whether the vulnerability is automatable, the mission prevalence, and the public well-being impact. Vulnerabilities can then be categorized into one of four categories:
- Track – No immediate action is required, but the vulnerability should be tracked and reassessed if further information becomes available, with the vulnerability updated within standard timeframes.
- Track* – No immediate action is required, but there are characteristics that require closer monitoring for changes. These vulnerabilities should be remediated within standard time frames.
- Attend – The vulnerability requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the vulnerability and potentially publishing a notification internally and/or externally. The vulnerability needs to be remediated sooner than standard update timelines.
- Act – The vulnerability requires attention from the organization’s internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability and publishing a notification either internally and/or externally. Internal groups would meet to determine the overall response and then execute agreed-upon actions, with the vulnerability remediated as soon as possible.
CISA recommends using the SVCC alongside CISA’s Known Exploited Vulnerabilities (KEV) Catalog, the Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX). When these are all used together, the window cyber threat actors have to exploit networks will be significantly reduced.
The SVCC and the guide on usage can be viewed here.
The post CISA Releases Decision Tree Methodology for Assessing and Remediating Software Vulnerabilities appeared first on HIPAA Journal.