Return to the list of client alerts

Timeline for Patching Vulnerabilities

Hackers are just like everyone else.  They want the results while doing as little work as they have to.

As soon as a patch is released, hackers start reverse engineering it.  Once they have done that, they can figure out how to exploit the bug.  Often that can be done in as little as 24 hours.

The time between when the patch is released and when it is installed is the time of maximum risk for that device because the vulnerability is known and can be most easily exploited by the most people.

DHS’s Binding Operational Directive 15-01 required executive branch agencies to patch critical bugs in Internet facing systems within 30 days.  That was the government’s first crack at mandating time to correction.  Compliance was fairly good and improved what the government had been doing, which was horrible.  That was issued four years ago.  An eternity in Internet time.

This week DHS’s Cybersecurity and Infrastructure Security Agency released Binding Operational Directive 19-02 which revokes BOD 15-01 and issues new requirements for patching.

While this new directive is only binding on most executive branch agencies, given how rare BODs are, it is probably a good standard for everyone.

Here is what the directive requires:

• Within 5 working days of bringing an IP address online, it needs to be reported to the team that is responsible for scanning for vulnerabilities so that it can be scanned.
• Critical vulnerabilities must be remediated within 15 calendar days of being identified.
• High vulnerabilities must be remediated within 30 calendar days of being identified.
• If vulnerabilities are not remediated within the prescribed time, a report must be sent to CISA identifying why the vulnerability was not remediated, what interim remediation can be done and when the vulnerability will be remediated.

CISA will track and report agency progress and compliance with these requirements.

For businesses, given the velocity at which hackers are moving, it is critical that businesses step up their game too.

Unless they want to be the next Equifax.  The cause of that breach was a missing patch that was 60 days old.

A copy of the Binding Operational Directive can be found here.

Does your organization have a standard for how quickly vulnerabilities need to be fixed?

What about a requirement for how often systems should be scanned for vulnerabilities?  The government’s standard for this is continuous scanning meaning that some system is being scanned all the time.  This replaces the old school model of once a month or a few times a year.

Remember that as soon as a patch is released by an application or system vendor, that is constructive notice of a vulnerability (independent of whether your scanning found that vulnerability on a given system or not) and starts the patch clock ticking.