Patching and Vulnerability/PenTesting Best Practices
Logging is encouraged across all systems that access sensitive data.
Events to Be Logged
Sensitive data that is shared among groups of individuals should be logged to keep an audit trail active for tracking changes and monitoring approved and potential unapproved changes to information.
Patch Management & Vulnerability / Penetration Testing
KCTCS pushes the latest vendor-supplied security patches to all active network machines via KACE and SCCM for ease of management and customized, secure installations.
Patching
All systems and applications should have the latest approved security patches installed when available. New servers and desktops should be fully patched and in compliance with the relevant configuration standards before entering production.
All affected systems and applications within KCTCS that handle sensitive information receive scheduled security scanning assessments at least quarterly by performing an in-house and PCI external vulnerability assessment / penetration test. Systems and applications should be in line with current vendor supported versions.
Any necessary version change, password modification, or patch update following a vulnerability assessment is scheduled to be performed within appropriate timeframes, established by the operational timeline relevant to each affected system.
Legacy/Retired Client/Server OS
All client / server based operating systems (OS) either approaching retirement or considered End-Of-Life (EOL) should be decommissioned or have the affected server/client OS upgraded to the most currently supported and secure Operating System. If a retired client/server OS has proprietary software, then data should be migrated to a new server for testing and eventually moved into a production state while also working towards the phasing out of the current legacy OS.
Vulnerability Advisories
KCTCS remains connected with the most critical component and patch updates via SCCM software and patch management integration. If a critical advisory is published for affected systems that have not already been addressed via SCCM, manual intervention is assumed by Technology Solutions and manual updates and patches are pushed out in addition to the scheduled updates and patches.
Vulnerability Rating Risk
The Common Vulnerability Scoring System (CVSS) is used for rating and assessing the severity of system vulnerabilities. The following table represents how vulnerabilities can be categorized according to the CVSS score and how remediation is prioritized:
Risk Level | CVSS Score | Acceptable Remediation Time |
Attention | 0 | Discretionary |
Low | 1.0-3.9 | Next Patch Cycle (3-6 months) |
Medium | 4.0-6.9 | 8 Weeks Max |
High | 7.0-10 | 4 Weeks |
The risk level will be presented in the vulnerability scan report. If a score is not indicated, Medium risk level should be assumed. Immediate corrective action will need to be taken for the following:
- External vulnerabilities with a CVSS Score of 4 or greater; or
- Internal vulnerabilities a CVSS Score of 7 or greater.
Any systems found to have a vulnerability which has not been corrected in the acceptable remediation time should be removed from service until an acceptable corrective action has been taken.
Vulnerability Scanning
KCTCS performs periodic vulnerably scans. Vulnerability scanning includes scanning for specific functions, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms.
All vulnerabilities identified should be mitigated in a timely manner to reduce risk in the environment. Documented evidence that the process has been conducted must be retained for auditing purposes.
In support of PCI requirements, internal and external network vulnerability scans shall be run at least quarterly and after any significant change in the network.
In support of PCI requirements, internal and external network vulnerability scans are scheduled quarterly and manually upon any significant change in the network.
Penetration Testing
Internal and external penetration testing is scheduled once a year and after any significant infrastructure or application upgrade or modification. Examples of significant changes include:
- An operating system upgrade
- A new network/VLAN added to the environment
- A new server or hardware device added to the environment. Testing will include both network layer and application layer penetration tests. Corrective action is then taken for vulnerabilities and exploits discovered during testing.