An audit of cybersecurity for DHS’ nine most frequently visited Web sites found that although general security protocols were followed, there were still a number of vulnerabilities and gaps in security, including inconsistent management of security patching and security assessments. Lipowicz, Alice. “DHS Web sites vulnerable to hackers, IG says”, Federal Computer Week, 09Oct2009.
It is almost hard to comprehend that even after years of pounding the message of “patch your systems” that unpatched systems are still making headlines. I can picture some internal servers running legacy applications that fail if the latest O/S patches are applied being kept off of a patch management system but simple internet facing web servers? This report is especially egregious considering these systems are managed through DHS.
Beyond the issue of patch management is the use of regular vulnerability assessments as part of an overall risk management program. The two questions I like to ask are 1) Are your systems up to date? and 2) How do you know? Just like there are a number of patch management programs available there are also a number of vulnerability scanning tools. I’ve used several and many do a good job at pointing out glaring (and not so glaring) problems.
The real trick to vulnerability scanning tools is using the information to fix problems when they are found. If you aren’t going to do anything with the information then why even bother. If available, use the help desk and log a ticket. Notify the department head and schedule a meeting to discuss the timeline for remediation. If the system is incapable of supporting a patch due to application incompatibilities, look at compensating controls to at least reduce the exposure. The very worst thing that can be done is to sit on the information. Information is only valuable if it drives action. So, take action but do so as a partner, not as a dictator.
Hello from Russia!
Can I quote a post in your blog with the link to you?
Sure. Thanks. – Paul