The National Institute for Standards and Technology defines patch management as "the process for identifying, acquiring, installing and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware."

While it may sound simple, there are always challenges that make an effective patch management strategy difficult to implement and maintain. More often than not, legacy applications and hardware may not survive the patching process, and the time and costs to install and conduct regression testing may be prohibitive. The first course of action should always be to conduct a risk analysis and look for a solution including compensating controls. If a risk cannot be resolved, then senior management must get involved to sign off on and acknowledge the issues.

A credit union that cannot overcome these challenges will be unable to patch systems effectively and efficiently, leading to compromises that could be easily preventable, which is what happened at Equifax. Organizations that can minimize the time they spend dealing with patching can use those resources for addressing other security concerns. Credit unions should strive to operationalize their patch management, making it more of a core IT function than part of security. However, it is still important that all credit unions consider patch management in the context of security. As Equifax found, patch management is critical to achieving and maintaining sound security.

Configuration Management

Imagine you are a burglar, breaking into an office building. Now imagine that instead of feeling your way around, you have blueprints for the building, as well as keys to some of the doors. If you put servers and equipment into production with default (out of the box) configurations, those are exactly the types of tools and resources you are giving a hacker. Default configurations and administrative accounts with default passwords are well documented, so the manufacturers assume you will change and secure the default configuration.

Every credit union should have a process to ensure systems are hardened to an agreed upon standard before they are deployed in the network. It should include the operating system, applications, ports, services and default accounts on the devices. If you do not have the time or staff to completely define a policy from scratch, ask your vendor of choice or a colleague. A solid configuration management program will yield some quick security benefits, so consider the following for your credit union:

• All of your systems will have standard secure configurations. Any equipment not correctly hardened will stand out when scanned.
• If a noncompliant system is found, update it. If it is too old to be updated, remove it or lock it down to reduce risk.
• Remove and reimage any previously configured systems that have been compromised. Keep a copy of the compromised image for forensic analysis.
• Have a master image that is integrity-checked and protected.
• The management of standard administrative accounts will enhance security on all systems and limit administrative privileges.

Change Management

Depending on the scope, change management can require a million-dollar software package or spreadsheet. Keep in mind the most important thing is to get the process started. Start small, collect some quick wins and evaluate the value of expanding the program.

Change controls for a credit union organization should include a documented process to propose, justify, implement, test and review changes to systems. Change control processes must also include changes to the baseline configurations of systems. Typical processes include a change control board that approves proposed changes. For new development information systems or systems undergoing major upgrades, include representatives from development organizations in the justification process.

An effective change management process will provide credit unions with the ability to audit changes before and after implementation, leading to an improvement of the entire process. Some things to consider with a basic change management program include:

• Review proposed changes to the information system and approve or disapprove such changes with a heavy emphasis on changes that may impact security.
• Document change decisions associated with the system. Include who, why, when and how.
• Monitor the implementation of approved changes to the information system. Were they executed without problems? If not, why?
• The historical record is valuable for everything from audits to budget and financial planning.
• Coordinate and provide oversight for configuration change control activities, monitor and improve processes, and produce metrics for management on changes and first pass success of change implementation.

 Some organizations may decide they cannot afford to start on change management or other security measures because the software to implement and audit is too expensive, resources are scarce or for perhaps another reason. Taking the first step to just get started, even if it is by updating a spreadsheet weekly, will be well worth the investment. Credit unions must realize the value of implementing stricter guidelines and work to expand and improve the process. The sooner the process starts, the sooner you can experience the benefits of a system with greater control and security.

Gene Fredriksen is Chief Information Security Strategist at PSCU. He can be contacted at [email protected].