On June 12, CISA hosted a state, local, tribal and territorial (SLTT) SNAP security operation center call to discuss prioritization of vulnerability updates based on risk. While the update schedules are mandatory for federal organizations, CISA shared the guidelines with other critical infrastructure organizations as recommendations. The new CISA guidelines for addressing vulnerabilities include nuances to consider when creating or tuning organizational patch vulnerability management and/or patch plans. With the accelerated rate of vulnerabilities discovered due to the assistance of AI tools, plus the related accelerated frequency and volume of system patch releases, a shift in mindset and criteria for response and patching may aid in prioritizing time and resources.
Consider the following criteria for vulnerability management for hosted systems:
- Is the system public-facing? CISA’s guidelines encourage focusing on public-facing systems, as these may be quickly scanned by threat actors for vulnerabilities.
- Does the system contain sensitive data/critical for operations/provide a gateway to other systems with critical and/or sensitive data? If any of this is the case, prioritize patching.
- Is the vulnerability being exploited? (Is the CVE in CISA’s Known Exploited Vulnerabilities [KEV] database?) If so, prioritize over anything not exploited.
- Is the threat automatable? If so, prioritize it.
In particular, if the above criteria are met, CISA recommends following a forensic investigation process to determine if the vulnerability has already been exploited, before patching. The SNAP call emphasized the importance of both forensic investigation and rapid patching for easily exploitable and critical systems that are publicly facing.
References
CISA’s BOD 26-04: Prioritizing Security Updates Based on Risk
CISA’s Known Exploited Vulnerabilities Database