Author: Scott Marshall
Many Defence Mission Systems operate on stand-alone networks for a variety of valid reasons. Sometimes for security reasons (Confidentiality) and at other times for technical certification reasons (Integrity). This usually means that the automated patch management technology provided on strategic networks is unavailable.
Is patch management still important on a stand-alone network that has other security controls implemented to prevent the installation of malware that may exploit a known vulnerability?
In short, yes. While a stand-alone, non-connected network in a secure facility may be (for all intents and purposes) beyond the reach of external threats, it is still vulnerable to the insider threat. That vulnerability could be exploited in two ways.
Firstly, via the inadvertent introduction of software that is designed to reduce the integrity and/or the availability by exploiting a published vulnerability. This can be mitigated through the application of compensatory controls such as locking down USB ports, disabling auto run on CDs etc.
Secondly, via a malicious insider who uses a published vulnerability to defeat confidentiality provisions in the system or deliberately reduce the integrity or availability of the system or the information is processes.
Those familiar with the United States Government’s NIST Special Publication 800-53 know that control SI-2 highlights the importance of the timely implementation of patches. Likewise, the Australian Signals Directorate (ASD) Top 4 Mitigation Strategies to Protect Your ICT System requires the timely implementation of critical patches. ASD strongly recommends security patches are applied within 48 hours.
Other controls may be implemented to reduce the risk of an unpatched vulnerability being exploited, but let’s take a look at the attack vector of a trusted insider.
What is a Trusted Insider? A Trusted Insider is someone who has a valid reason to be accessing your sensitive information. In the military context, this would be a person with the required security clearance level and a “need to know” about the network and some of the information it contains. It’s clear that the threat posed by a trusted insider who has malicious intentions is particularly difficult to address when they have a valid business case for accessing your sensitive information.
This brings us to the reason that patching is important on stand-alone networks. Relatively speaking, there are few people with the ability to discover vulnerabilities in operating systems and third-party applications. What is possible, though, is for a technology savvy user to research published vulnerabilities and how to exploit them.
If you combine a malicious trusted insider, published vulnerabilities and a system that hasn’t been patched, you have a cyber incident just waiting to happen.
In summary, while the probability of an unpatched system being exploited is reduced if it is a stand-alone system (i.e. you can exclude external threat actors), it isn’t reduced to zero. Reference the damage Bradley Manning and Edward Snowden did, despite holding a Top-Secret security clearance. Manual patch management doesn’t need to be labour intensive— you can structure your patch management program to respond to critical security updates in a timely manner while deploying non-critical updates on an agreed, planned basis.
Pacific Aerospace Consulting have been working with a number of Defence clients on security accreditation of their stand-alone mission networks. We can help your organisation navigate the path to security accreditation without risking your technical certification.