News

Microsoft To Launch Enterprise Security 'Hygiene' Effort with NIST

• By Kurt Mackie
• 10/10/2019

Microsoft this week announced it has partnered with the National Institute of Standards and Technology (NIST) on a project called "Critical Cybersecurity Hygiene: Patching the Enterprise Project."

Mark Simos, lead cybersecurity architect for Microsoft's Enterprise Cybersecurity Group, gave an overview of the effort with NIST on Wednesday. He described the project as being designed to help enterprise organizations better patch their software.

NIST plans to deliver "prescriptive guidance on establishing policies and processes for the entire patching life cycle," which will get published in an "NIST Cybersecurity Practice Guide." It's not clear when the finalized guide will appear, and the NIST's page indicated it's currently seeking technology vendor participants in the program. A draft of the "Critical Cyber Security Hygiene: Patching the Enterprise" document, dated Aug. 31, 2018, can be downloaded here (PDF). Simos is listed as one of the co-authors.

Microsoft Seeks Answers
Microsoft partnered with the NIST, part of the U.S. Department of Commerce, on this enterprise patch hygiene effort after trying to figure out why so many systems were unpatched and subject to the NotPetya ("WannaCry") wiper attacks about two years ago, according to Simos. Patches for the Windows SMB 1 vulnerability exploited by the attackers using WannaCry malware had been available "for months," he noted.

As Microsoft looked into this matter, organizations told Microsoft that they were uncertain about what kind of patch testing should be done. They also were uncertain about how fast systems should get patched. Organizations typically just checked if patches had problems in online forums, according to Simos.

"This articulated need for good reference processes was further validated by observing that a common practice for 'testing' a patch before a deployment often consisted solely of asking whether anyone else had any issues with the patch in an online forum," he explained.

While Simos implied that checking forums for patch problems was an inadequate approach, Microsoft now publishes known issues with Windows 10 upgrades at its Message Center page. It's a fairly new practice for Microsoft, and was started to better communicate the many problems that regularly occur with Windows 10 upgrade releases.

Simos asserted that applying patches "isn't as easy as security departments think, [and] it isn't as hard as IT organizations think."

Windows 10 Problems
Of course, Microsoft hasn't had a good record with its own Windows 10 upgrade and patch quality over the years. The company reduced its testing staff even as it accelerated its Windows 10 upgrade releases to twice yearly. Organizations face more frequent OS upgrades with Windows 10 releases, which implies more testing needs to get done by them, although Microsoft claims high app compatibility with Windows 10.

Along those lines, on Wednesday Microsoft warned that organizations running Windows 10 version 1703 will stop getting "quality updates" (security and nonsecurity patches) on Oct. 8, 2019. Organizations running Windows 10 version 1803 will stop getting quality updates on Nov. 12, 2019. They will need to upgrade those OSes to continue to get patch support from Microsoft.

Patching systems apparently is more complicated with Windows 10. In addition to Microsoft's failures in delivering problem-free patches, partners providing drivers for Windows 10 upgrades have sometimes botched them. Microsoft uses its "telemetry" data collection to hold off delivering potentially problematic upgrades, but it hasn't been a problem-free approach.

Enterprise organizations likely may have more complex software environments to patch than Microsoft accounts for in its own testing. Microsoft admitted a couple of year ago that it had stopped testing its quality updates when it released Windows 8 and it reduced its app testing to 250 critical business applications. More recently, with Windows 10, Microsoft said it tested "around 2,500 apps" for compatibility issues.

Other factors may be involved besides poor IT patch practices. For instance, the U.K.'s National Health Service systems that were hard hit by WannaCry malware about two years ago were thought to be running unsupported Windows XP OSes. Likely money and resource issues add to the mix.