COI Report – Part VII
Page 376 of 425
1095. In general, this prioritisation should be based on the following criteria ab Threatb – A threat is any potential direct danger to information systems, or software that is exposed to a higher degree of risk (e.g.
by virtue of its exposure to the internet. Examples of systems facing high threat levels are web servers, email servers and applications, and servers containing sensitive information. Special focus must be placed on patching of email applications, as email attacks are now the most common vector for initial intrusions into systems.
104
Indeed, in this case, CSA’s hypothesis is that the initial infection originated from a phishing email. b)
Vulnerability – A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. It could be outdated software which is less secure etc. c)
Criticality – This is a measure of how important or valuable a system is to operations. For example, database servers and network infrastructure would be considered more critical to operations.
1096. Systems facing more threats, or that are more vulnerable, or are mission- critical should be accorded a higher priority in the patch management process.
MOH family’s view is that patching should be carried out comprehensively for all assets connected to the network, in a manner which poses the least cybersecurity exposure.
105
Should a patch be assessed to be less urgent or critical, steps should betaken to mitigate any exposure before the patch is deployed. In general SANS Institute, Securing Against the Most Common Vectors of Cyber Attacks, SANS Institute Reading Room, August 2017. This section maps to CIS Control 3 Continuous Vulnerability Management and CIS Control 8 Malware Defences. Comprehensive patching of all assets connected to the network greatly mitigates the risk associated with unpatched machines.
|
