There are a few root causes for many data breaches, malware infections, and other security incidents. Implementing a few relatively simple security hygiene practices can address those root causes—preventing many incidents from occurring and lowering the potential impact of incidents that still occur. In other words, security hygiene practices make it harder for attackers to succeed and reduce the damage they can cause.
Unfortunately, security hygiene is easier said than done. IT professionals have known for decades that patching software—operating systems and applications—eliminates vulnerabilities. Despite widespread recognition that patching is effective, it's also resource-intensive. And the act of patching itself can reduce system and service availability. However, delaying patching deployments gives attackers a larger window of opportunity.
The Critical Cybersecurity Hygiene: Patching the Enterprise Project will examine how commercial and open source tools can aid with the most challenging aspects of patching general IT systems. We are using commercial and open source tools to aid with the most challenging aspects, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. We will include actionable, prescriptive guidance on establishing policies and processes for the entire patching lifecycle to include defining roles and responsibilities for all affected personnel and establishing a playbook containing mitigation actions for destructive malware outbreaks.
This project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
If you have any questions or suggestions, please email the project team at cyberhygiene@nist.gov.