The United States government has issued an order to federal agencies requiring them to patch vulnerabilities in their systems and software within 30 days, The Washington Post reports. If they fail to do so, the agencies will not be able to conduct business with other government agencies until they have completed their patches. Agencies are expected to identify all their technology products — including those provided by contractors — and catalog any vulnerabilities no later than Nov. 15, according to the report. A vulnerability list is due on Dec. 15, and patches are due 30 days after that.
If you’re a federal agency, the United States government has now ordered you to patch hundreds of vulnerabilities. Here are seven tips:
Tip 1: Will this vulnerability get leaked?
If you’re worried about a vulnerability getting leaked, here are a few things to consider. First, is the information classified? If so, then it’s less likely to be leaked because it’s not something that people can just share freely. Second, how widely known is the vulnerability? If it’s not well-known, then there’s a smaller chance that someone will leak it. Third, who knows about the vulnerability? If only a few people know about it, then it’s less likely to be leaked. Finally, what would happen if the vulnerability was released? Would it affect national security or public safety? If so, then releasing it would be against US law and unlikely to happen.
Tip 2: Can I rework the code?
Yes, you can. But you need to be very careful when doing so. Depending on the type of vulnerability, it may be possible to create a new attack by simply changing a few lines of code. It’s also important to consider whether or not the fix will actually work- just because it compiles doesn’t mean it will actually fix the problem. In some cases, it may be best to leave the code as-is and focus on other areas. If you are unsure, then consult with your mentor for help. It is always better to do something than nothing at all!
Tip 3: Does someone else have a fix?
Before you start patching vulnerabilities, it’s important to check if someone else has already done the work for you. The last thing you want is to spend hours patching a vulnerability only to find out that someone else has already released a fix. When you’re scanning for patches, use the show updates option in your scanner to see what other security products have been updated recently.
If an update is available from your antivirus vendor or operating system vendor, apply it immediately before going any further with patching vulnerabilities on your own. Remember: Patches are always free!
Tip 4: What are we doing about it now?
Although the US government is often thought of as being behind the times when it comes to technology, they are actually taking a proactive stance on patching vulnerabilities. By ordering federal agencies to patch these vulnerabilities, they are ensuring that critical systems are not left open to attack. The number of affected vulnerabilities in this order is so large because each agency has its own system with its own set of security measures and guidelines for how to deal with them. The government has also been trying to improve their cybersecurity recently by hiring additional experts and developing new standards and guidelines for security.
Tip 5: What happens if we don’t fix it?
If you don’t fix vulnerabilities, hackers will eventually find and exploit them. This can lead to data breaches, which can damage your reputation, cost you money, and even get you sued. The US government is ordering federal agencies to patch hundreds of vulnerabilities. In some cases, these patches could disrupt the performance of an agency’s work-flow or create other challenges. For example, a software update might require employees to change the way they do their jobs in order for it to work correctly. Sometimes this disruption is warranted because the new patch offers better security than what was previously available.
Tip 6: How many others have this vulnerability?
According to the National Institute of Standards and Technology (NIST), there are over 8,000 known vulnerabilities in software today. The US government is now ordering federal agencies to patch hundreds of these vulnerabilities in an effort to improve cybersecurity. This is a good first step, but it’s only a small fraction of the total number of vulnerabilities out there. So what can you do to protect yourself?
Tip 7: If there isn’t a patch, is there an alternative way to protect against exploitation?
Although patches are the best way to protect against vulnerabilities, there are times when a patch is not available. In these cases, there are some alternative measures you can take to help protect your systems.