All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices. The recommendations below are provided as optional guidance to assist with achieving the “Patching and Updates” Requirements.
MSSND Patching and Updates Requirement
Devices connected to a UC Berkeley network, including personal devices, must only run supported software and operating systems for which security patches are made available in a timely fashion. All currently available security patches must be applied on a schedule appropriate to the severity of the risk they mitigate.
Where extended vendor support is available for software or operating systems deemed “end-of-life”, enrollment is required and an exception must be requested.
Background and Description of Risk
Security vulnerabilities in software are constantly being discovered. Exploitation of vulnerabilities in software can lead to:
- Institutional data and personal data breaches
- Data loss or modification
- Compromised systems and use of those compromised systems to launch further attacks
- Denial of Service (DoS) attacks, rendering services unavailable
Recommendations
1. Patching Schedule
Based on National Vulnerability Database (NVD) ratings, apply security patches using the following schedule as a guideline. Please note that compliance with this schedule is required for IT Infrastructure and Services classified at P3, P4, or A4.
Other factors to consider that can accelerate or decelerate security patching schedule include:
1.1 Likelihood
- Has working exploit code been published?
- Has exploitation already been publicly or privately observed?
1.2 Exposure
- Are the vulnerable systems or services Internet-accessible?
- Are the vulnerable systems or services open to the entire Campus network or specific, authorized hosts?
1.3 Context
- How severe does the vendor rate the vulnerability?
- Is attack complexity high or low?
- What kind of impact is there? (e.g. confidentiality, integrity, and/or availability)
- How difficult would it be to detect an ongoing attack exploiting the vulnerability?
- Is there Protected Data on the system?
1.4 Mitigation
- Are there verified workarounds or temporary solutions that can quickly be implemented until full patching can occur?
2. Supported Operating Systems & Software
Devices on the campus network must run supported operating systems and software. “Supported” means:
- The software is actively receiving security updates from the vendor.
- For Open Source, software must be actively maintained by developers and must release security updates for any reported vulnerabilities in a timely fashion.
If an operating system or software product is deemed End-of-Life by the vendor, the unsupported software must be upgraded to a supported release before the End-of-Life date.
When upgrading is not possible or must be significantly delayed, users may enroll in extended support from a vendor (if available) and submit an Information Security Policy Exception Request.
3. General Patching Guidance
Effective patch management requires a process to identify vulnerable software, evaluate available patches, test and deploy those patches, and confirm their successful installation. Most operating system (OS) vendors include a solution for patching, but such solutions typically cover only the OS itself. It is critical to supplement these solutions with application and other software patching.
3.1 Automate
Enterprise Patch Management Systems:
- IBM BigFix: Campus departmental IT partners can use the IBM BigFix endpoint management service to automate patching of institutional devices. Contact the Endpoint Operations & Services team for more information.
- Microsoft Windows Server Update Service (WSUS): Berkeley IT offers a Microsoft Windows Server Update Service at http://update.berkeley.edu. For users of the CalNet Active Directory service, Group Policy Objects (GPOs) may be used to configure the use of the Berkeley IT-managed WSUS server. Use the GPO “Campus – WSUS” to configure updates to be automatically installed every day at 3:00am.
- RedHat Linux - Campus Satellite Server: The Berkeley IT Unix Team maintains a campus Satellite Server that offers access to RedHat updates. More information is available at https://wikihub.berkeley.edu/display/PIPUB/Red+Hat+Enterprise+Linux+Site+License.
Personal Devices and Self-managed Institutional Devices:
Enable Automatic Updates for operating systems.
- Microsoft Windows: https://support.microsoft.com/en-us/help/12373/windows-update-faq
- Apple macOS: https://support.apple.com/guide/mac-help/get-macos-updates-mchlpx1065/mac
3.2 Plan & Prioritize
- Understand that patching is an ongoing, recurring activity.
- Enterprise system owners should maintain a patch management plan and coordinate accordingly with both business and technical stakeholders.
- For critical vulnerabilities, be sure to prioritize the patching of Internet-facing systems when public services are vulnerable.
3.3 Monitor
For vendor products and services, subscribe to the vendor’s security advisory mailing list to ensure you are notified about vulnerabilities in a timely fashion. Ensure that you periodically check for updates for Internet of Things (IoT) devices, mobile devices, and other embedded operating system/firmware devices.
- UC Berkeley Information Security Office - Security Alerts: https://security.berkeley.edu/news-archive/security-alerts
- The UCB-Security mailing list: https://security.berkeley.edu/resources/mailing-lists-workgroups/ucb-security-mailing-list
- Apple - Security Updates: https://support.apple.com/en-us/HT201222
- Microsoft - Security Advisories & Bulletins: https://docs.microsoft.com/en-us/security-updates/
- US-CERT National Cyber Awareness System: https://www.us-cert.gov/mailing-lists-and-feeds