Do you patch your systems? How do you know?

The Center for Internet Security (CIS) Critical Security Controls makes a good effort to prioritize IT Security controls. This prioritized list of controls provides an implementation pathway that closes the biggest security gaps first. There are 20 controls in total, and CIS calls out the “First Five” as being the most fundamental controls for an IT Security Program. They are:

1. Inventory of Authorized and Unauthorized Hardware
2. Inventory of Authorized and Unauthorized Software
3. Secure Configuration for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges

Security specialists are sometimes surprised at the first two items in the list. Why are inventories of hardware and software the most fundamental items for IT Security? To answer that, I’d like to tell a story.

A few years ago, I was the Chief Security Officer at a small financial services provider (a fintech company). This company had grown due to recent acquisitions and had become an increasingly significant industry provider of bank payment services.  Because of this growth, the company attracted the attention of financial regulators who were increasingly interested in their IT security operations. 

One of the items of interest to the regulators was patch management. I spent a few weeks with the regulators discussing all aspects of the company’s IT security, including patching. One of the interviews started with, “Let’s talk about patch management.  Are you patching your servers and workstations?” I had spent several months making sure our systems were patched and up to date, so I answered confidently that yes, we regularly patch our systems. His second question was far more difficult to answer.  He asked, “How do you know?”

Implied in his question were several other questions: “How do you know that you are patching ALL the systems?”; “How do you know that you are applying patches for ALL the software on those systems?”; “How do you know that the laptop that shows up today in Tokyo is the same one that was in New York last week?” 

Of course, answering these questions requires more work. The answers are possible because of those first two CIS controls. For example, “I know I’m patching all my servers because I have an inventory of them.” Or, “I know I’m patching all the workstations and laptops because I know what is authorized and not authorized on my network, and I can identify a laptop uniquely, regardless of where it is on the network.”  Also, “I know that I’m patching all the software because I know what software is running on each system.” The first two Critical Security Controls are critical because they make all the other controls effective. The first two controls provide answers to the “how do you know” question. 

My experience was with regulators, but the issue is the same if a company gets breached, if data gets stolen, or even if you are just giving an accounting to executives or the board. Corporate executives, regulators, boards of directors and law enforcement will want assurances, even guarantees, that control measures are effective and complete. If the IT department doesn’t have a clear accounting of all the hardware, they cannot know that all the systems have been remediated. If IT doesn’t know what software is running, they cannot be sure the fixes will be effective everywhere. When reporting to the boss that “we fixed it” and she asks, “how do you know?” have a complete inventory of hardware and software. It’s a good way to start answering the question.