The foundation of risk-based cybersecurity using the Risk Management Framework (RMF) is designing, developing and deploying resilient systems. Resilient systems have the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on your information resources. One of the most important steps toward cyber resilience is practicing good cybersecurity hygiene, making sure your systems are patched so they have the best available protection from attacks.
What are the Two Vulnerabilities?
Digital detritus and unsupported systems present two vulnerabilities that pose serious risks to your systems and a substantial opportunity for adversaries to attach your system. Both need to be addressed when you analyze your system as part of the RMF and authority to operate (ATO) process and need to be reflected in your Plans of Action and Milestones (POAM).
Digital detritus is the risk caused by do it yourself applications that are downloaded into your environment by well meaning employees trying to solve an immediate problem — edit a photo in an unusual format, manage a list of email addresses for a conference, add a special plug-in to your office productivity suite — applications that find their way into your environment unknown to your information security team.
The unsupported are legacy applications that are no longer supported by the developer, unmatched applications where no one is supplying critical patches. The unpatchable pose a much more significant risk and add layers of complexity when building a risk-based cybersecurity strategy.
How To Fix Them
The simplest fix is to prohibit the use of unsupported information systems and system components. The reality is that you need to continuously look for and remove the digital detritus that users install. As part of your patch management strategy you keep an inventory of software that is currently installed and the version of each piece of software is installed so the correct patches can be identified, acquired, and installed. Use your inventory to look for software that isn’t on the list and investigate anything you find and how it go there. Then either add it to your patch management program if you decide to support it or remove it.
Another important part of making this process work is adding a discussion of the risks posed by unsupported software to your cyber security awareness training. Cybersecurity hygiene is for everyone.
Legacy systems pose a more difficult challenge. Unsupported mission critical systems should have a high priority for replacement or upgrade. In the meantime, there are several options. Establish in-house support by developing customized patches for critical software components. This usually requires access to the source code and to a developer who is familiar with the security aspects of the environment and the application. You can hire a contractor who can provide ongoing support for the unsupported components in your environment. This is easier when you are operating in an open source environment or need support from systems built using standards-based software components. This may not be an option when you are running older commercial-off-the-shelf (COTS) software because you may not have access to the source code.
Legacy systems that have support issues may require development of custom security controls that can compensate for the security risks. As part of your RMF cybersecurity strategy analysis examine the risk in terms of the impact on the confidentiality, integrity, and availability of the system. Assess the risk impact of the legacy system. Then look at your security control baseline in light of your risk decision to determine if there are tailoring options that will help mitigate the risk. Look for compensating controls you can add to your environment to help protect your legacy assets and add tools to ensure that the system is being continuously monitored until it can be replaced.
Finally add the system and its risks to your ATO decision support package, System Security Plan, and POAM to ensure awareness of the risk and to begin the process of modernizing or replacing the unsupported components and keeping the authorizing official abreast of how these components impact your risk-posture and on-going ATO..
If you’d like to learn more about custom controls and how to manage legacy systems as part of your RMF on-going ATO process, call us.