Critical Cybersecurity Hygiene: Patching the Enterprise

Current Status

We are currently seeking feedback on a draft project description, Critical Cybersecurity Hygiene: Patching the Enterprise. The public comment period is now open and will close on October 1, 2018. Please submit your feedback.

Summary

There are a relatively small number of root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple practices can address those root causes to prevent many incidents from occurring and to lower the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.

Unfortunately, security hygiene is easier said than done. Even though there is widespread recognition that patching software—operating systems, applications, and the like—can be incredibly effective at mitigating security risk, patching is often resource-intensive, and the act of patching itself can reduce system and service availability. Attempts to expedite patch distribution, such as not testing patches before production deployment, can inadvertently break system functionality and disrupt operations. On the other hand, delays in patch deployment create a larger window of opportunity for attackers.

The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can be used to aid with the most challenging aspects of patching general IT systems, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle.

Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.

If you have any questions or suggestions, please email the project team at cyberhygiene@nist.gov.