Software patching can never be done quickly enough, but some initiatives are setting Federal agencies on the route to better patching policies, according to security experts.
“The river’s gotten wider and deeper, and so as it’s moving more rapidly the problem is that a lot of the organizations haven’t been able to change how they’re structured to go with it,” said John Scott, president of Ion Channel, which provides software supply chain solutions. “Most organizations aren’t equipped to deal with it.”
According to Scott, IT system patches used to be less frequent and there were fewer systems to patch, giving agencies more time to go through patch testing and implementation policies.
“What that meant was, an update would come out or a fix or something like that, and you would have time to implement it,” said Scott. “And so you would have time to kind of test it before you implement it, make sure it worked, make sure it didn’t break your systems.”
“Any major organization typically needs to make sure that the patch doesn’t cause other problems,” said Jeff Greene, senior director of global government affairs and policy at Symantec.
“The larger the agency, the more complex the environment, the more testing you have to do on a patch before you roll it out,” agreed Chris Townsend, vice president of Federal at Symantec.
Part of the problem, Scott said, was that government relied on large systems that could take down an entire agency’s ability to operate if a patch went wrong.
“They look at systems as basically these big monolithic things that you just bought and it’s done,” said Scott. “As a result, the big monolithic systems did a few things well, but a few things not so well. That’s why you end up with this huge testing cycle.”
He explained that some agencies are beginning to break systems down into their component parts, called microservices, making them easier to authorize on the acquisition side and protecting the rest of the system if an update goes bad.
“Once you have them out there, they can be used by other agencies,” said Scott. In particular, he applauded the work done by the General Services Administration’s 18F, whose Project Boise aims to develop a drastically shortened authority to operate (ATO) process.
Greene said that government has already proven its patching improvements through its resilience to the WannaCry virus, which affected unpatched Microsoft Windows systems.
“WannaCry is a pretty good case study,” said Greene. “That’s a really good example of why patching can protect you.”
For Scott, agencies must now work to learn exactly what systems they have, and to automate the patching process.
“Automation is really the only way you deal with the speed of what’s going on,” said Scott, adding that most patches still require a person to actively seek out the patch to their software and install it.
According to Scott, some government CIOs still rely on emails to their IT departments to determine whether they use a particular vulnerable system and if that system has been patched. Some of those IT departments still send the patch downloads to employees through email.
“If I was a really, really smart and ready adversary, I’d start phishing people,” said Scott, explaining that he could masquerade as an IT employee and send malware under the guise of a necessary software patch.
Townsend said that agencies should ensure they have good patching discipline, which the government is moving toward, and be sure to install security software for the times when patching isn’t enough.
“Doing that in conjunction with good patching discipline is really going to cut down on a lot of vulnerabilities that we’re seeing,” said Townsend.