You are here

Cybersecurity Awareness Month – Behavior: Update, Compensate, or Isolate

Cybersecurity Awareness Month – Behavior: Update, Compensate, or Isolate

Created: Thursday, October 20, 2022 - 14:27
Categories:
Cybersecurity, Security Preparedness

-by Jennifer Lyn Walker

Today we’ll cover Cybersecurity Awareness Month 2022’s behavior of software updates. This behavior takes on a very different complexion for organizations than it does individuals. Nonetheless, behaving accordingly is just as important in each environment.

Individuals

The National Cybersecurity Alliance puts software updates quite simply: Unpatched, out-of-date devices and software are a leading access point for cyber criminals. That’s why practicing good cyber hygiene is so important for avoiding destructive malware that can steal users’ personal information. To keep your devices safe: 

  • Enable the lock feature on all your mobile devices.  
  • Activate multifactor authentication (MFA) on your sensitive apps and accounts.
  • Run antivirus software and install system updates immediately.

And CISA says, “Don't delay -- If you see a software update notification, act promptly. Better yet, turn on automatic updates.”

Organizations

Vulnerabilities represent a significant portion of our organizational attack surface. While CISA’s advice works great for our personal devices, organizations don’t have it quite so easy. As such, patching/updating has become a bane for many. So much that threat actors know we are poor at patching and leverage that gap to exploit devices left unpatched in our networks – just visit CISA’s Known Exploited Vulnerabilities Catalog to see what we know is being exploited by adversaries.

Vulnerability management is part of the core of every cybersecurity strategy, so don’t let its appearance at #7 (Embrace Vulnerability Management) in WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities fool you. Vulnerability management involves the need to identify and remediate cybersecurity gaps and vulnerabilities before the bad guys exploit them. Once vulnerabilities have been identified and prioritized, they must be remediated.

Remediating vulnerabilities typically involves a patch or update. However, in instances where patches are not or cannot be applied (such as in a control system environment), it’s important to compensate for the lack of patching via other security control methods such as “hardening” to remove unnecessary/vulnerable functions, services, or applications. Likewise, there are times where it’s necessary to isolate vulnerable devices/components that may no longer be supported by the vendor/integrator/OEM (and replacing is not yet an option).

Essentially, as previously stated, sometimes remediation or mitigation are not practical, effective, or even possible in some situations. However, all vulnerabilities must be addressed, even if that means only documenting and accepting the risk and the reason why it is unable to be corrected, but ignoring is not an option.

Additional Cybersecurity Awareness Month 2022 Resources