Zero Trust Meets OS Patch Management
We are always facing new vulnerabilities in our software, especially in operating systems in the EU and worldwide. Apple issued a security update release for iOS 14.4 recently, as a patch for three actively exploited Zero Days in iOS 14.2, likely being used as an exploit chain. This is an example of many vulnerabilities that can be mitigated with an available patch.
One of the mantras of defence of the organisation is “keep your patches up to date.” Very sound advice. Not always practical. So the concern arises - what if I miss something!
In the real world there are often reasons why this can happen. It could be that the device is unknown, off the radar and not part of the inventory. It could be that there are too many devices to update. Remembering back to WannaCry days there was a crying need to patch all endpoints.
“A common mantra is "patch everything." But the operational challenges that this poses can be insurmountable. Checking status at the point of entry helps mitigate this risk in a practical and immediate way.” — Richard Archdeacon, Advisory CISO, Duo Security
But there was a limited time frame to make patches work. In a “Critical3” scenario it could be that the Critical device is running a Critical process that cannot be stopped at a Critical time. For example a process control device or a month-end payroll run. And what about change control? Often tricky to obtain.
So, whilst the advice is sound and should be followed, it is often not so easy. It begs the question, “So, what if I miss something?”
Policy Controls Can Make Sure Patches Are Current
This is one of the reasons the Zero Trust approach makes sense, there is policy control at the time of access. There are many tools that can be used to scan a network to report on operating system status, or other potential attack surfaces such as browsers, across devices.
But this is relatively static and may not, for example, include third-party devices. By ensuring that a device is up-to-date and if not, requesting the user to make the update, a more flexible line of defence is being built in.
The policy that determines what update levels the device must reach can be implemented rapidly through a centralised set of controls. The user cannot proceed unless the way is clear, and unobstructed by an outdated and insecure device. This provides a backstop in case a device has been missed as part of an update program. If missed the device will be blocked until updated.
The question may arise as to why this is needed if the user has to authenticate themselves and prove their identity. Isn’t confirmation of identity sufficient to establish a level of trust?
Maintaining Trusted Endpoint Security
A trusted identity does reduce risk enormously. However, a compromised device combined with increased user trust may lead to increased risk. The user will be given access as they are trusted. But an attacker may have gained control of the device, and thus established a trusted path to the organisation’s resources. So, the twin approach of trusted user and trusted device are complementary controls. Again, having these both managed by rapidly enforced policies means flexible controls and the point of access.
“Trusted access gives you a backup option if you don’t have visibility of a device. It helps you check the unknown and make sure it is known.” — Richard Archdeacon, Advisory CISO, Duo Security
When focused on the endpoint, this cannot be achieved without the human touch. It is the business colleagues who then become the first line of defence. They are the people asked to make the update and raise the defence levels. So it is important to ensure that they are provided with tools that are easy to use. They are not there to do security. They are there to do their daily jobs. So make it easy.
Supporting Your Colleagues With Security Awareness
In addition, make sure that your colleagues are well-trained. Not with the usual awareness training. But in how they are helping protect the organisation. And in a BYOD (bring your own device) world, how they are protecting themselves.
Enable them to update, where possible, at their convenience rather than with a forced update. Security should fit in the work day. This may help to create a greater level of trust between the security teams and the colleagues who they protect and support.
This approach will reduce the risk of the unknown device, the time lag as change control is obtained and the need to schedule an update in an operational environment.
And so with this approach perhaps the question can now be “So what if I miss something? I am good.”
Try Duo For Free
With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.