{"id":101530,"date":"2019-10-09T17:07:50","date_gmt":"2019-10-09T17:07:50","guid":{"rendered":"https:\/\/news.microsoft.com\/?p=434798"},"modified":"2019-10-09T17:07:50","modified_gmt":"2019-10-09T17:07:50","slug":"when-you-dont-install-patches-cybersecurity-attacks-win-heres-how-we-and-you-can-turn-the-tide","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2019\/10\/09\/when-you-dont-install-patches-cybersecurity-attacks-win-heres-how-we-and-you-can-turn-the-tide\/","title":{"rendered":"When you don\u2019t install patches, cybersecurity attacks win. Here\u2019s how we and you can turn the tide"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2019\/10\/when-you-dont-install-patches-cybersecurity-attacks-win-heres-how-we-and-you-can-turn-the-tide.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>In the wake of the devastating (Not)Petya attack, Microsoft set out to understand why some customers weren\u2019t applying cybersecurity hygiene, such as security patches, which would have helped mitigate this threat. We were particularly concerned with why patches hadn\u2019t been applied, as they had been available for months and had already been used in the WannaCrypt worm\u2014which clearly established a \u201dreal and present danger.\u201d<\/p>\n<p>We learned a lot from this journey, including how important it is to build clearer industry guidance and standards on enterprise patch management. To help make it easier for organizations to plan, implement, and improve an enterprise patch management strategy, Microsoft is partnering with the U.S. National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).<\/p>\n<p>NIST and Microsoft are extending an invitation for you to join this effort if you\u2019re a:<\/p>\n<ul>\n<li><strong>Vendor<\/strong>\u2014Any vendor who has technology offerings to help with patch management (scan, report, deploy, measure risk, etc.).<\/li>\n<li><strong>Organization or individual<\/strong>\u2014All those who have tips and lessons learned from a successful enterprise management program (or lessons learned from failures, challenges, or any other situations).<\/li>\n<\/ul>\n<p>If you have pertinent learnings that you can share, please reach out to <strong>cyberhygiene@nist.gov<\/strong>.<\/p>\n<p>During this journey, we also worked closely with additional partners and learned from their experience in this space, including the:<\/p>\n<ul>\n<li>Center for Internet Security (CIS)<\/li>\n<li>U.S. Department of Homeland Security (DHS) Cybersecurity<\/li>\n<li>Cybersecurity and Infrastructure Security Agency (CISA) (formerly US-CERT \/ DHS NCCIC)<\/li>\n<\/ul>\n<p>A key part of this learning journey was to sit down and listen directly to our customer\u2019s challenges. Microsoft visited a significant number of customers in person (several of which I personally joined) to share what we learned\u2014which <a href=\"http:\/\/aka.ms\/rapidattack\" target=\"_blank\" rel=\"noopener noreferrer\">became part of the jointly endorsed mitigation roadmap<\/a>\u2014and to have some really frank and open discussions to learn why organizations <em>really<\/em> aren\u2019t applying security patches.<\/p>\n<p>While the discussions mostly went in expected directions, we were surprised at how many challenges organizations had on processes and standards, including:<\/p>\n<ul>\n<li>\u201cWhat sort of testing should we actually be doing for patch testing?\u201d<\/li>\n<li>\u201cHow fast should I be patching my systems?\u201d<\/li>\n<\/ul>\n<p>This articulated need for good reference processes was further validated by observing that a common practice for \u201ctesting\u201d a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum.<\/p>\n<p>This realization guided the discussions with our partners towards creating an initiative in the <a href=\"https:\/\/www.nccoe.nist.gov\/projects\/building-blocks\/patching-enterprise\" target=\"_blank\" rel=\"noopener noreferrer\">NIST NCCoE<\/a> in collaboration with other industry vendors. This project\u2014kicking off soon\u2014will build common enterprise patch management reference architectures and processes, have relevant vendors build and validate implementation instructions in the NCCoE lab, and share the results in the NIST Special Publication 1800 practice guide for all to benefit.<\/p>\n<p>Applying patches is a critical part of protecting your system, and we learned that while it isn\u2019t as easy as security departments think, it isn\u2019t as hard as IT organizations think.<\/p>\n<p>In many ways, patching is a social responsibility because of how much society has come to depend on technology systems that businesses and other organizations provide. This situation is exacerbated today as almost all organizations undergo digital transformations, placing even more social responsibility on technology.<\/p>\n<p>Ultimately, we want to make it easier for everyone to do the right thing and are issuing this call to action. If you\u2019re a vendor that can help or if you have relevant learnings that may help other organizations, please reach out to <strong>cyberhygiene@nist.gov<\/strong>. Now!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the wake of the devastating (Not)Petya attack, Microsoft set out to understand why some customers weren\u2019t applying cybersecurity hygiene, such as security patches, which would have helped mitigate this threat. We were particularly concerned with why patches hadn\u2019t been applied, as they had been available for months and had already been used in the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":101531,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49],"tags":[50,52],"class_list":["post-101530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-news","tag-recent-news","tag-security"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/101530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=101530"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/101530\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/101531"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=101530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=101530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=101530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}