What does the critical CISA directive mean and how should you respond?

Let’s face it – everyone’s had just about enough. Exploits are everywhere, and it’s almost impossible to deal with the problem to a watertight degree.

Some organizations make a solid effort, deploying cutting-edge vulnerability management solutions and live patching to minimize the impact of vulnerabilities, but many others struggle, and some make no effort at all.

This lack of action creates opportunities for malevolent actors, and the Cybersecurity and Infrastructure Security Agency (CISA) had seen so many successful exploits that it felt it needed to draw a line – forcing the agencies it has authority over to act.

That’s why, on November 3, CISA issued a new directive that compels civilian federal agencies to address 306 critical vulnerabilities that CISA found commonly leads to successful exploits.

Who is the CISA, and what is a CISA directive?

The Cybersecurity and Infrastructure Security Agency is a federal agency established under the oversight of the US Department of Homeland Security to oversee and manage the cybersecurity risks faced by US federal government agencies.

CISA issues binding directives covering critical cybersecurity topics of the day and federal agencies are compelled to respond to these directives. In other words, when CISA issues a directive, countless government organizations are obliged to act – for example, by remediating a vulnerability.

It’s also worth noting that when a directive is issued by CISA it applies to all affected software and hardware used in federal information systems: whether these systems are hosted by the agency, or supplied by a third-party vendor – which broadens the implied scope of a CISA directive.

What does the latest CISA directive say?

Like we said at the start of this article, everyone’s getting fed up with the consequences of the complex cybersecurity landscape. And the consequences of inaction grow every day. That’s why, in its latest directive, CISA published a list of 306 vulnerabilities that federal agencies are forced to fix within a specific deadline.

CISA published this list because it found that a specific set of vulnerabilities are responsible for a large proportion of successful cyberattacks. The intent was to ensure that federal agencies remediate these vulnerabilities to significantly reduce the overall number of successful cyberattacks on government agencies.

The directive also contains a range of validation and reporting requirements that are beyond the scope of this article, but which does point to how seriously CISA takes the issue at hand. The recent CISA directive is an effort to improve an imperfect situation to the greatest extent possible by addressing the most dangerous exploits.

Examples of vulnerabilities included in the CISA directive

Now that we know what a CISA directive is, let’s look at the vulnerabilities covered – and why they matter. It’s a broad range of vulnerabilities – from server infrastructure (Linux and Apache for instance) through to applications from Microsoft and SAP, and it even includes vulnerabilities in both popular mobile operating systems. Everything in between is also covered – the list even touches on security tools from Sophos, SonicWall and Trend Micro.

Take for example the Widget Connector macro vulnerability in Atlassian Confluence, a popular collaboration tool used by both commercial and government enterprises. This vulnerability allows attackers to remotely mount a remote code execution and path transversal attack by utilizing server-side template injection.

Another example is related to the popular Apache HTTP Server – where several Apache Release 2.4 versions contain a scoreboard vulnerability. Attackers can execute code in less privileged child processes and escalate the execution of arbitrary code to parent processes with full system privileges. This Apache vulnerability is listed as CVE-2019-0211 and, again, CISA included it in its list because it’s a dangerous exploit that’s commonly used in the wild.

It shows just how wide the range of vulnerabilities are that are covered by the CISA directive which in turn shows how widespread the cybersecurity threat is – threats are hiding everywhere, and it’s undoubtedly challenging to comprehensively manage these threats.

Hang on, what does CISA have to do with us?

The CISA directive is pointed to federal agencies across America. You might well wonder – what does a US government directive have to do with commercial enterprises – never mind businesses located in other countries?

While CISA’s latest directive does not hold any authority over organizations outside of the US federal government, it does bring several worthy lessons.

First, CISA collated data on cybersecurity incidents and listed the vulnerabilities that most commonly lead to harm. Your organization should consider monitoring this list – which will continue to change – to see whether you rely on any of the applications, services, or devices listed in the brief. If you do, consider patching these as fast as you can – or moving to alternative solutions. It’s important to point out that, by the description provided by CISA, those are vulnerabilities that are known to be exploited currently – so it’s more than just patching something that may eventually get exploited, these bugs are actively being exploited.

But there’s a broader issue at stake. Like we pointed out at the start of this article, vulnerabilities and the associated cyberattacks are so pervasive that everyone’s just getting tired of it. Mitigation works, but up to a point.

This targeted list produced by CISA is an attempt to draw attention to the most harmful vulnerabilities – but by implication, it acknowledges that typical vulnerability management efforts simply aren’t cutting it. Something needs to change.

Existing strategies are challenging

So, while the list attached to the CISA directive points to critical, immediate fixes, it only exists because of imperfect risk management strategies. More specifically, it shows how incomplete the typical patching regime is – many of the vulnerabilities on the CISA list could, after all, easily be remediated with simple patches.

The CISA list isn’t at all an alternative to continuous vulnerability assessment and patching – it is just a response to the fact that cybersecurity risk strategies just aren’t perfect. The underlying message is that organizations need to sharpen up their cybersecurity risk management, whether they are under the remit of CISA or not.

Doing so is not straightforward, of course, due to limited time and resources – as well as the practical implications of mitigation strategies. Look at patching, for example. Yes, everyone knows that patching matters but in reality patching often gets neglected. Patching is neglected because sysadmins don’t have the time to patch thoroughly – and because patching can be disruptive, leading to downtime that frustrates stakeholders.

In financially-pressured government departments, the budget and resources might not be there and there may well be nobody with ultimate responsibility. But that goes for commercial organizations too.

Improving patch management is a start

Patching is a conundrum: even if you have the resources to patch, the associated disruption can be a dealbreaker. There are ways to work around the disruption – relying on extensive planning can help, while load balanced, redundant systems can also help minimize the impact of patching. But even with the best efforts, patching remains imperfect – leaving opportunities for attackers.

Thankfully, cutting-edge tech has a habit of getting us out of tough spots. And that’s the case with patching too – thanks to what’s called live patching, sysadmins can ensure that patches are applied to critical services without the need to restart those services.

Live patching is a simple, automated way to patch commonly used, critical services, with patching on the fly. Live patching reduces the time consumed by patching so that sysadmins can patch more thoroughly while freeing up time for other pressing tasks.

Limit disruption – and improve security

Most importantly, however, live patching eliminates disruption. In other words, thanks to live patching, tech teams can ensure that patching occurs consistently and efficiently, without the need to pause services, plan for maintenance windows, or to coordinate the cooperation of stakeholders. In other words, fewer things are getting in the way of patching.

And we all understand the benefits of patching consistently: when patches are applied about as fast as they are released it minimizes the window of opportunity for an attacker. You can’t patch faster than the speed at which patches are released, and between zero-day and the release of a patch, there is always a window.

However, it takes time for attackers to explore a vulnerability and to find a target, and broadly speaking patches are released fast enough to stop the majority of attackers in their tracks. Miss applying the patch – and there’s a greater opportunity for an attack. But apply the patch as soon as it comes out, and the window of opportunity is minimal.

The core lesson of the CISA directive

Patching and indeed other cybersecurity mitigation methods aren’t applied as consistently as they should be. It leaves attackers with wide – sometimes indefinite – windows of opportunity for malevolent actors to mount an attack. That’s why CISA felt motivated to publish a directive – the CISA list contains commonly attacked vulnerabilities that CISA knows federal agencies weren’t getting around to patching.

The moral, of course, is that patching should be improved and likewise for other cybersecurity measures. There shouldn’t be a need for CISA or anyone else to publish a reminder of patches that need to be addressed.

So that’s where we are then – imperfect patching that gets so bad in practice that a US federal agency needs to issue a directive. The answer? Better patch management, and better security management on the whole. Thankfully the necessary tools are slowly emerging – and when it comes to patching, live patching is a quick win – there’s no way of patching systems faster than that.