This week, the US Cybersecurity and Infrastructure Security Agency (CISA) announced an emergency directive to immediately deploy patches for five VMware products vulnerable to remote code execution or escalation of privileges to root exploits. The vulnerabilities impact VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Patches are available so yes, you should patch, and patch yesterday!
This is only the 10th emergency directive CISA has issued in its three-year history. We expect CISA and other government agencies to continue to weigh in on vulnerability and patch management, so organizations, both government and private sector, should be prepared to respond.
Use Directives To Prioritize Patches
Should CISA directives be taken seriously? Yes. Do enterprises need to adhere to them? Well, if you do business with or provide services to the US federal government, then the answer is still yes. If your organization does neither of these, you’re in a grey area of compliance.
While CISA is still in its infancy under the umbrella of Homeland Security, its authority for holding agencies accountable or even penalizing them remains to be seen. The same applies to contracted companies under those agencies. A statement by Jen Easterly, CISA Director, made during the Log4j vulnerability event, may help indicate whether that grey area is a lighter or darker shade:
“We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability.”
In the private sector, governing bodies like the Federal Trade Commission (FTC) have levied penalties on private sector firms or sued them for their role in data breaches. Equifax, for example, settled with the FTC and other regulators for $575 million after its 2017 data breach. These actions are typically post-breach, as shown with Log4j; though the FTC issued a warning to private companies, they haven’t pursued legal action yet. For now, there is no US precedent to penalize public, private, or federal entities for the inability to apply a patch for discovered and publicized vulnerabilities.
Look at these CISA directives as additional vulnerability intelligence to help prioritize patching. You likely already prioritize based on criticality, exploitability, presence of exploits, etc. CISA directives indicate that you should give the covered vulnerabilities the highest priority.
From Nicotine Patches To Software Patches
Perhaps we should think of CISA as the surgeon generals who told us to stop smoking for decades. They had the research, evidence, and expertise to prove that smoking exploited your lungs and breached lifespans. They published papers, posted warnings on packages, and elicited public education campaigns — but they had no authority to ban or regulate smoking. Many smokers that heard but ignored the advice suffered the consequences; some survivors patched nicotine onto their shoulders.
Ignoring advice from our experts at CISA can lead to breaches that take the breath out of your organization. And just as state and federal governments enacted legislation around smoking for consumers, we should expect the same for industries around vulnerabilities. We’ll have to wait and see if consumer lawsuits will play a part or not.
Don’t Let DevSecRegOps Become The Next Thing
Regulation and legislation around patching will undoubtedly cause burden around an already-overwhelmed IT operation. If government agencies are successful at implementing vulnerability requirements, regulatory checks could become yet another stopgap in your DevSecOps pipeline.
Although government agencies are well intentioned, introducing blanketed IT requirements for all organizations does not jive with all organization’s environments, compensating controls, and risk appetites.
Prepare your PR and government relations teams to communicate challenges around patch mandates to your elected officials. But don’t feed into the problem and give legislators ammunition. Practicing good cyberhygiene and keeping patches up to date hardens your organization against data exposure and availability issues resulting from exploits.
CISA Directives Should Mean Incident Declaration … For Now
The currently low rate at which the CISA issues emergency directives should warrant immediate attention from your security leadership. Enact incident response procedures just as you would if an indicator of compromise was detected. Analyze the impact, contain the vulnerable assets, eradicate the threat — typically through a patch — then test and recover. It’s equally crucial to conduct lessons learned exercises and track corrective actions, as you hopefully did with Log4j.
As we continue to see a historically high volume of vulnerabilities, CISA could increase the frequency of directives, at which point you may want to reconsider. Other government agencies, in and out of your jurisdiction, may issue similar directives. Monitor these but engage your compliance and legal teams so you understand mandates, consequences for noncompliance, and best practices around directives, regulations, and legislation.
Document procedures and appropriate contact info for compliance and legal teams in your incident response and critical vulnerability response plans. Reach out to critical third-party vendors to ensure they are on top of CISA directives, too.