NIST White Paper [Project Description] Critical Cybersecurity Hygiene: Patching the Enterprise

こんにちは、丸山満彦です。

NISTのNCCoE (National Cybersecurity Center of Excellence)から[Project Description] Critical Cybersecurity Hygiene: Patching the Enterpriseという白書が公開されていますね。。。
組織全体でできる限り多くの脆弱性をパッチにより減らすことにより、組織全体の脆弱性を減少させることができますよね。まさに、サイバーセキュリティ衛生の向上ですよね。。。

● NIST ITL

・2020.03.30 [Project Description] Critical Cybersecurity Hygiene: Patching the Enterprise

・[PDF] Project Description

 

Abstract

Cyber hygiene describes recommended mitigations for the small number of root causes responsible for many cybersecurity incidents. Implementing a few simple practices can address these common root causes. Patching is a particularly important component of cyber hygiene, but existing tools and processes are frequently insufficient to rapidly mitigate this risk in many environments and situations. The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and patch implementation tracking and verification. These tools will be accompanied by actionable, prescriptive guidance on establishing policies and processes for the entire patching life cycle, in the form of a freely available NIST Cybersecurity Practice Guide.

 

TABLE OF CONTENTS

1 Executive Summary

Purpose 
Scope
Assumptions/Challenges
Background 

2 Scenarios

Scenario 0: Asset identification and assessment
Scenario 1: Routine patching
Scenario 2: Routine patching with cloud delivery model .
Scenario 3: Emergency patching
Scenario 4: Emergency workaround (and backout if needed)
Scenario 5: Isolation of unpatchable assets
Scenario 6: Patch management system security (or other system with administrative privileges)

3 High-Level Architecture

Component List
Desired Requirements

4 Relevant Standards and Guidance

Secure Update Guidelines
Microsoft Software Update Guides

5 Security Control Map

Appendix A References

Appendix B Acronyms and Abbreviations

 

 

 

・Project Description (Critical Cybersecurity Hygiene: Patching the Enterprise NCCoE)

Building Blocks

• 5G Security
• Adversarial Machine Learning
• Attribute Based Access Control
• Continuous Monitoring for IT Infrastructure
• Consumer Home IoT Product Security
• Data Security
• Derived PIV Credentials
• DNS-Based Secured Email
• Managed Service Providers
• Mitigating IoT-Based DDoS
• Mobile Device Security
• Patching the Enterprise
• Privacy-Enhanced Identity Federation
• Secure Inter-Domain Routing
• Security for IoT Sensor Networks
• Supply Chain Assurance
• TLS Server Certificate Management
• Trusted Cloud
• Zero Trust Architecture