Patching in Federal Government Networks

Posted on by Tyler Jaeger

Ivanti is committed to our customers who uphold the Nation’s highest commitments. To this end Ivanti believes that the mission our customers fulfill should not be impeded or constrained by the security stance they take. In these security conscious situations, it’s considered both mandatory and best practice for nodes within these networks to be either disconnected or entirely air-gapped.

(Context: A disconnected network can traverse its own internal network/intranet but is disconnected from the broader internet. Conversely – an air gapped environment is even further isolated – being entirely independent with no connectivity to either a larger intranet or internet.)

Despite these efforts – the risk of exploitation is not absolved simply by disconnecting or placing nodes into an air-gapped state. Network isolation of these servers & endpoints is only one aspect within a zero-trust security paradigm that these Sys-Admins have to contend with.

Technical administrators of these environments are still responsible for maintaining their systems against on-going vulnerabilities. The patching of these systems acts as a counter measure against insider threats within these systems. These vulnerabilities are more than the standard Patch Tuesday Windows OS vulnerabilities. A significant majority of these vulnerabilities exist in the 3rd party Application Eco-System. According to The U.S. National Vulnerability Database – Microsoft exploits only account for 15% of total vulnerabilities today.

Ivanti Patching in Federal Gov Networks Blog Embedded Image 2024

Patching these systems can be extremely tedious and time-consuming, but also manually intensive. This time could be better spent performing strategic security measures, or not spent at all. As a result of this lengthy process critical systems can be impacted and left open to vulnerabilities. A report from the GAO (As detailed in Pg. 46 of the GAO Report 16-501: Agencies Need to Improve Controls over Selected High-Impact Systems) shows that this has historically left even critical vulnerabilities unpatched after a significant time period (In the report – several years). To address these issues, Ivanti assists our customers by automating the remediation of the vulnerabilities found within their system, while also providing a record of truth, and reporting to these workflows.

Ivanti’s Disconnected Patching Capability

Ivanti’s product portfolio not only includes its flagship cloud-based Product Suite, and also a strong array of On-Premise based products. Two products worth highlighting for this are Ivanti Security Controls (ISEC), and Ivanti Endpoint Manager (EPM). Both products have On-Premise deployment options which extend into Disconnected and Air-Gapped Use-Cases.

At a high-level, Ivanti services disconnected / airgapped environments via the use of servers placed within those environments. Those servers then act as a repository for OS patches (Incl. Windows, Linux, and Mac), along with 3rd Party Application Patches. Reference this example diagram of a disconnected instance of Ivanti ISEC. In this example, a central environment is used to download and prepare patches for the environment. Then, one-to-many disconnected environment can then be stood up with patches and management provided via a ‘File Transfer Service’. This service can mean two things: either an approved Media Devices to enable transfers when no connectivity can exist, or a staged approach in which connectivity for a Centralized console is alternated between the Internet and a Disconnected Environment. Where approved, this prevents a direct link between the internet and the disconnected environment.

One additional note with this diagram is that both the Central Rollup Console and Connected Environment can also be connected on temporarily, even if only to update definitions in support the disconnected portions of the deployment.

Ivanti Endpoint Manager (EPM)

On the flipside, we can take the disconnected / connected philosophy we mentioned in ISEC and apply it to our EPM product. Like with ISEC an admin can create multiple EPM consoles, or cores without any additional charges. Those cores can be deployed as disconnected or ‘dark’ cores. Vulnerability Definitions and Patches can then be copied from a connected environment into the disconnected environment via the same preferred ‘File Transfer Client’ of choice. This methodology has been proven amongst our customer base who have effectively deployed this into disconnected and airgapped instances for both ISEC and EPM.

Modernized & Automated Patching Workflows

Modernizing the patching process means reducing the Mean Time to Patch, and strategically securing against vulnerabilities. To that end, Ivanti provides Neurons for Risk Based Vulnerability Management – a Vulnerability Management system that provides contextualization around threats (Ex. ‘Trending’ Vulnerabilities or Vulnerabilities could be executed without physical access to the target).

RBVM also provides the necessary patches and remediation for those vulnerabilities. By integrating our Patching and RBVM we modernize patching into a strategic and automated process. Files containing the vulnerabilities deemed most risky can be loaded into solutions like EPM to determine and provide patches. This workflow can still apply even in disconnected and airgapped use cases. RBVM could connect to the Rollup Core while disseminating patches via the process mentioned above.

How Ivanti can Help

Between Ivanti’s EPM & ISEC products, a System Administrator would have full range to patch the Windows, MacOS, and Linux Servers and Workstations within their environments. Patches also extend to 3rd Party Applications in which a significant portion of vulnerabilities originate. Ivanti also has a team of QA testers that validate the patches within its 3rd Party Patch Catalog to ensure no patches will cause a crash to the system. This patching can apply to both connected, and disconnected environments without any additional charges for scaling your Console Server Deployments.

In the case of ISEC – ISEC can discover and patch endpoints both with an agent and agentlessly. ISEC can also integrate with On-Premise VMware ESXi environments and patch ESXi hosts, as well as images and offline VM’s, thus further centralizing and reducing time to patch across the environment. Conversely – EPM provides users with a full suite of Endpoint Management capabilities in addition to patching including Discovery and Data Normalization, OS Provisioning, Software Distribution, User Profile Management, Remote Control, and Integrated Patching and Endpoint Security.

Additional Resources

For further reading, please consider Ivanti’s Product documentation around this subject. These references can provide additional documentation around how to establish:

About Ivanti

Ivanti was created in 2017 with the merger of Landesk and HEAT software. We are a powerhouse IT solution with over 30 years of combined experience. Ivanti finds, heals and protects every device, everywhere – automatically. Whether your team is down the hall or spread around the globe, Ivanti makes it easy and secure for them to do what they do best.

Ivanti is committed to supporting our customers requiring either Cloud or On-Premise deployment requirements. In both of those deployment paths Ivanti’s Portfolio contains accredited solutions including the following certifications: DoD ATO, Army CoN, Common Criteria, DoDIN APL, DISA STIG, DoD IL2 & IL5 Private Cloud, DoD ATO, NIAP MDM PP v4, NIAP Common Criteria, NSA CSFC, FIPS 140-2, FedRAMP Moderate, & SOC 2 Compliances.

Connect with an Ivanti representative today and learn more about how Ivanti can support your MultiCloud initiatives.

Ransomware Security Strategies

Posted on by Alex Whitworth

One of the first challenges in combatting ransomware is recognizing the imminence of an attack and the impact it could have on an individual’s personal organization. For 60% of companies surveyed by ActualTech Media and Ransomeware.org, they reported spending zero to four hours on ransomware preparedness per month.^[¹^] Getting collective buy-in from administrators can be difficult since the cybersecurity measures put into place cannot show their full value without being hit by a ransomware attack; however, when compared to the number and scale of attacks occurring, greater attention to cybersecurity is imperative. The NIST Cybersecurity Framework (CSF) provides a guiding set of principles that inform strategies for mitigating ransomware risk. Addressing ransomware starts with identification of a security program followed by protection, prevention, detection, recovery and then security improvements. Ideally companies would follow this CSF outline but in reality, for most organizations the path looks different. Due to feasibility and order of highest critical priority, many companies first establish detection and recovery methods followed by protection, prevention, and security improvement.

RANSOMWARE DETECTION AND RECOVERY

When ransomware hits an organization, the biggest immediate concern is finding the problem and returning to business operations as usual. Many resources exist to assist with this endeavor including asset management tools that automatically inventory all devices on the network and monitor for potential ways malware can get in. Implementing edge detection allows companies to be alerted and quickly identify early on if the network has been compromised and which accounts and devices require isolation and additional measures to prevent the further spread to other servers, accounts and storage units. Anti-virus programs are also helpful to monitor endpoints for indicators of compromise or malware. By achieving early detection, companies can contain the malware and reduce data loss.^[²^] It also aids in preventing extended downtime which is very costly for operations and business reputation. Apart from the actual ransom, the downtime alone caused by cyberattacks in 2020 cost $20.9 billion to American businesses.^[¹^]

Once malware has been detected, a company’s recovery plan and preparation are put to the test. IT specialists and company administrators need to have an emergency plan in place so there are straightforward steps to recovery. Backups not only need to be created and stored off-site, but also updated on a regular basis and tested to ensure that they are a solid base for a system restoration. With most traditional backup systems, the data cannot be recovered fast enough to neutralize the ransomware’s impact on operations. Instead, a new strategy must be adopted that shifts from 200,000 files taking eight plus hours to restore via the traditional backups, to millions of files being recovered in minutes. Granular, immutable, verifiable snapshots are required to successfully recover all of an organization’s data.^[²^]

The Sophos “State of Ransomware” report indicated that 77% of healthcare organizations that did not experience a ransomware attack in 2021 attributed it to efforts such as backups and cyber insurance, which help with remediation but not prevention. This exposed an ongoing misunderstanding within the industry on cybersecurity methods.^[³^] Obtaining cyber-insurance does not prevent future attacks; however, instituting proper security strategies does decrease the susceptibility to ransomware. Recovery tools and insurance provide support during post-breach response but ultimately, in conjunction, organizations should strive to prevent the attack in the first place which requires implementing protection and prevention. According to the Government Accountability Office (GAO), cyber-insurance is a valuable resource to employ but noted that it is increasingly harder to acquire, due to the massive volume of cyberattacks, a higher bar of entry and more requirements to gain coverage and receive payouts. This leaves organizations who do not have sufficient security or insurance to face the recovery process and expensive remediation costs alone.^[⁴^]

RANSOMWARE PROTECTION AND PREVENTION

While most organizations invest in attack detection and recovery strategies, the protection aspect of the NIST CSF is equally important and an essential element to reduce the amount of recovery needed. Protection and prevention of ransomware attacks begins with establishing system routines and measures that make it more difficult for hackers to infiltrate. Through implementing Zero Trust user principles such as Multi-Factor Authentication (MFA), institutions and agencies can protect themselves by verifying the identity of employees. Poor password hygiene is one of the leading gateways to malware infiltration, making thorough employee training and password management software a baseline to reduce risk. The average user has access to over 20 million corporate files, making each employee a critical part of keeping the network safe and a huge liability if they are not vigilant and following best practices.^[²^] Segmentation of the network to provide user-specific access to data and system resources also creates safety barriers, so in the event of an attack the entire network is not automatically compromised. Around 80% of critical infrastructure companies without Zero Trust policies experience an $1.17 million increase in breach costs bringing to an average of $5.4 million per attack in 2022.^[⁵^]

Comprehensive Zero Trust authentication and data access control to limit complete access to the entire company’s files is a first step in this process. File indexing, which classifies the level of sensitivity of information contained, allows companies to better allocate resources to prioritize their protection of the most important or confidential files.^[²^] When processes are automated through these and other resources, it eases IT teams’ responsibilities and reduces the chance of error. Incorporating artificial intelligence (AI) and machine learning (ML) also expedites the identification of confidential information with metadata tags, along with advanced detection of suspicious network and user activity, and thereby minimizes inefficiencies.^[⁶^]

Organizations must rigorously search for security gaps and proactively work to close them. Some other measures to incorporate include:

Filtering for phishing emails and providing awareness training to minimize the possibility of a user accidentally clicking a malicious link
Utilizing firewalls to block unusual network traffic and segment the network to impede malware system communications
Monitoring software licenses to ensure they are updated and systems are adequately patched
Removing expired and extraneous user credentials and unused legacy technology
Tracking vulnerabilities on devices like IoTs, OTs, and employees’ personal devices used for work (BYODs) throughout the entire connection lifecycle
Implementing Zero Trust cloud security with container scanning and proxies like a Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA)

RANSOMWARE SECURITY IMPROVEMENT

Following an attack, companies have the opportunity to grow and improve from the situation as well as share resources with other public and private sector companies to strengthen defenses. Incident reporting is a key strategy to prevent future ransomware incidents and a top priority for the Cybersecurity and Infrastructure Security Agency (CISA). Agencies and organizations must support each other to defend against these cyber threats that affect every industry.^[⁷^]

To support this greater focus on information sharing, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 took effect in March requiring a more stringent timeline and adherence to disclosing cybersecurity attacks and ransomware payments to the government. CISA also now has the authority to subpoena critical infrastructure organizations if they do not report any cybersecurity incidents within 72 hours of a cyberattack and 24 hours of a ransom payment.^[⁸^]

This threat information sharing requirement along with other recent rules on reporting attack incidents strengthen organizations’ security posture and reduce the success rates of cyberattacks. Through these joint efforts and public-private partnerships, companies can recover faster, resume normal operations and support other businesses in the defense of their industry and the nation.^[⁹^]

To assist with incorporating these cybersecurity best practices, Congress passed the Infrastructure Investment and Jobs Act Public Law 117–58 which offers $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”^[¹⁰^]

RANSOMWARE RISK MITIGATION

Tech modernization, while crucial to agencies and organizations’ survival and growth, also presents unique challenges in protecting those technologies.^[11] In their journey to securing their legacy and updated systems, companies must take the time to honestly evaluate their cybersecurity standing across the ransomware cycle and ensure their readiness to handle an attack. Utilizing NIST CSF security strategies and other resources help organizations to mitigate risk and empower other companies to learn and protect their systems. By implementing best practices and technologies to address cyber hacks and data breaches, companies are valuing both their customers and their own bottom line. Proactive cybersecurity measures are key for all companies to stem the tide of ransomware attacks and protect the continued growth of their organizations.

Learn about the current state of ransomware and its impact across sectors in our Ransomware Series. Visit our website to learn how Carahsoft and its partners are providing solutions to assist in the fight against ransomware.

Resources:

[1] “Everything You Need to Know About Ransomware,” Ransomware.org, https://ransomware.org/

[2] “Protect, Detect & Recover: The Three Prongs of a Ransomware Defense Strategy for Your Enterprise Files,” Nasuni, https://media.erepublic.com/document/Whitepaper-_A_Three_Prong_Ransomware_Strategy_-_Nasuni.pdf

[3] “The State of Ransomware in Healthcare 2022,” Sophos, https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/

[4] “Healthcare data breach costs reach record high at $10M per attack: IBM report,” Fierce Healthcare, https://www.fiercehealthcare.com/health-tech/healthcare-data-breach-costs-reach-record-high-10m-attack-ibm-report

[5] “Cyber Attacks Against Critical Infrastructure Quietly Increase,” Government Technology, https://www.govtech.com/blogs/lohrmann-on-cybersecurity/cyber-attacks-against-critical-infrastructure-quietly-increase

[6] “Four Best Practices for Protecting Data Wherever it Exists,” Dell Technologies and Carahsoft, https://www.carahsoft.com/2nd-page/dell-4-best-practices-federal-data-security-protection-report-2022#page=4

[7] “Ransomware Hackers Will Still Target Smaller Critical Infrastructure, CISA Director Warns,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/ransomware-hackers-will-still-target-smaller-critical-infrastructure-cisa-director-warns/374953/

[8] “DHS Convenes Regulators, Law Enforcement Agencies on Cyber Incident Reporting,” Nextgov, https://www.nextgov.com/cybersecurity/2022/07/dhs-convenes-regulators-law-enforcement-agencies-cyber-incident-reporting/374968/

[9] “Ransomware Attacks on Hospitals Have Changed,” AHA Center for Health Innovation, https://www.aha.org/center/cybersecurity-and-risk-advisory-services/ransomware-attacks-hospitals-have-changed

[10] “FACT SHEET: Top 10 Programs in the Bipartisan Infrastructure Investment and Jobs Act That You May Not Have Heard About.” The White House, https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/03/fact-sheet-top-10-programs-in-the-bipartisan-infrastructure-investment-and-jobs-act-that-you-may-not-have-heard-about/

[11] “Global Data Protection Index 2021,” Dell Technologies, https://www.dell.com/en-us/dt/data-protection/gdpi/index.htm#pdf-overlay=//www.delltechnologies.com/asset/en-us/products/data-protection/industry-market/global-data-protection-index-key-findings.pdf

Infographic Resources:

“Ransomware and Energy and Utilities,” AT&T Cybersecurity, https://cybersecurity.att.com/blogs/security-essentials/ransomware-and-energy-and-utilities

| Carahsoft

Tag Archives: GAO