From unique applications to machines that can’t just be turned off, patching isn’t always straightforward in the Australian public sector
With a heightened threat landscape and increasingly stringent compliance regulations, cybersecurity leaders in government are compelled to shore up vulnerability management processes.
But while resources exist that mandate what must be done in order to achieve maturity against a framework like the ASD’s Essential 8, the vulnerability journey is littered with challenges.
“There’s an interesting aspect to the regulatory framework in that it can sometimes create a compliance burden that doesn’t necessarily reflect the risk you are trying to tackle,” Former ATO Chief Information Security Officer Jamie Norton says.
“You can get caught up in the wording and embedding because it says you have to, while losing sight of the intent of what you are trying to do. That was something we had to be really careful of.”
Norton says recent changes to the Essential 8, which mandate that vulnerability management is a requirement for baseline maturity and compliance, run the risk of being treated as box-ticking exercises that result in incessant scanning and data piling up that doesn’t guarantee an outcome.
“That might end up earning you compliance but it’s not effective,” he says. “I think that’s where departments can lose momentum; if teams become solely focused on the regulation and not so much about the overall effectiveness or the outcome.”
Former Fire & Rescue NSW CISO Asaf Ahmad says despite the Essential 8 demanding immediate patching in cases of the most critical patch releases, this advice doesn’t help for zero-day scenarios.
“Patches are classified depending on how critical they are, this helps cybersecurity leaders implement them according to their patching cycles,” he says. “But in the case of zero-day vulnerabilities, wherein a vulnerability has been discovered and a patch for it doesn’t exist, cybersecurity leaders need to have workarounds so that exploit can’t be used to cause damage.”
Unique Systems and Isolation
While compliance or regulations represent the beginning of a vulnerability management approach, the standards don’t account for each unique use case.
ACT Government acting CISO Julian Valtas says there may be situations in which it becomes bad practice to follow a piece of compliance advice to the letter, in which case cyber teams and analysts need to think strategically.
“Even some of the things that the ACSC suggest, like 48-hour patching, for example, can create a challenge. Sometimes mission-critical systems may not lend themselves to 48-hour patching with robust testing,” Valtas says.
“The value of our own analysis is making an assessment about whether or not the system out of band access, has it got firewalls, strong authentication in other security controls.
“We try to enrich the context of what a given vulnerability means to us. For instance, if a vendor rates something as high risk, the way we’ve implemented that system on our network might put us at a much lower level of exposure.”
ARPANSA CISO Kathryn Green says her organization, which is a chiefly scientific agency focused on complex testing, measuring and safety assurance, says her team must also discover ways to reduce risk around hard-to-patch equipment.
“Some scientific systems are really integral to the work of the organization, and we don’t want to stop using them,” she says.
“But they can be potentially vulnerable if they are not updated or patched as regularly as we would like. We always do a risk assessment when considering the frequency of patch timings and review advice from the ACSC and manage accordingly.”
Another pain point for cybersecurity leaders can arise when critical applications reside on legacy hardware, which doesn’t lend itself particularly well to scanning or appearing on the network, Qualys Director for Technical Account Management in ANZ Walter Manyati says.
“Legacy systems are difficult to manage simply because an organization might have a reliance on them. For example, an old instance of a piece of enterprise resource planning software that talks to many other devices or services,” he says.
“In the best environments I’ve seen, there’s a plan in place to move away from these or to make sure that it’s kept as robust and secure as possible. In the worst environments, people just say, ‘Well it’s there and we can’t do anything about it’. With those, it’s necessary to consider a good risk management process. Understanding how many of these types of assets there are, where they are, who owns them and what runs on them.”
Software Diversity and Demand
The diverse needs of the many business areas of government make the issue of scale and software demand and complexity another major challenge, according to ACT CISO Julian Valtas.
“Updating and packaging software and analysing threats and vulnerabilities takes a lot of labour effort to manage effectively, even when supported by good tooling,” he says.
“The ACT Government has both the functions of a local and state government all in one. We have hundreds of discreet business units under eight directorates and whilst we all enjoy ‘core’ software like Office 365, browsers, video conferencing tools and media players, there is niche software required to support many business units.
“This is one of the reasons the government has a cloud-first strategy backed by governance to ensure that information has appropriate security measures.”
Valtas adds while there is often demand for new software from departments, each must be considered very carefully.
“Whilst we could package up a piece of requested software for government, it would become another software package with frequent updates required for security and capability that would need to be owned by a business unit for the lifecycle of the application,” he says.
“This sprawl can be a real struggle from my perspective and the total cost of ownership of effective patch and vulnerability management when the application portfolio is large.”
ARPANSA CISO Kathryn Green says the agency frequently launches new projects and likes to innovate, with staff often interested in new software solutions. This presents procurement challenges.
“We need to understand how a new system works and we need to understand what impact this new system is going to have on our cyber security landscape,” she says.
“Meeting our organization’s strategic objectives and solving business problems along the way is so important but being able to make new products work and fit with our cyber security landscape can be really challenging. Despite what some might think, cyber security people do dislike being the ones to say ‘no’.”