Election Security Spotlight – Patching

What it is

Patching is the process of applying available updates to an operating system, website, software, hardware, or plugin. In information security, patches are security updates that address identified vulnerabilities, which could allow cyber threat actors unauthorized access to information systems or networks. Some companies, such as Microsoft and Adobe, regularly release bulk security patches for their products on the second Tuesday of every month (i.e., Patch Tuesday), whereas other companies release patches on other days of the month, quarterly, or on an ad hoc basis. Each vulnerability in the patch is rated based on the associated level of risk, threat, and impact, along with other factors. In the U.S., most publicly known cybersecurity vulnerabilities are cataloged in the Common Vulnerabilities and Exposures (CVE) List maintained by MITRE.

Why does it matter

Unpatched vulnerabilities remain one of the primary infection vectors observed by the EI-ISAC and our partners. Once patches are publicly announced, information on the associated vulnerabilities they remediate is generally available to anyone, including cyber threat actors. This significantly increases the likelihood that the threat actors will attempt to exploit unpatched systems using information deduced from the patch release. Successful exploitation of unpatched election infrastructure may result in malware infections, website defacements, or compromise the confidentiality, integrity, or availability of election-related information, which could include personally identifiable information (PII) and other voter information.

What you can do

When patching relevant election systems, be sure to consider your state’s or the U.S. Election Assistance Commission’s (EAC) System Certification Process and account for scheduled primary and election day system configuration freezes. When creating a patch management program for your agency, begin by understanding all the hardware and software assets that you are responsible for (CIS Controls 1 & 2). Then implement a patch management program that:

  • Readily identifies patches as they become available;
  • Prioritizes patches for known vulnerable systems;
  • Downloads patches from authoritative sources;
  • Tests and verifies patches in the operating environment; and
  • Applies appropriately tested patches to vulnerable systems.

The MS-ISAC regularly disseminates Cybersecurity Advisories, which address critical patches in commercial software commonly used by government agencies and are available to all EI-ISAC members. To subscribe to Cybersecurity Advisories, EI-ISAC members should contact their account manager or complete the subscription form. For more comprehensive recommendations and technical insight on this topic, please see the MS-ISAC’s Technical White Paper Timely Patching Reduces System Compromises.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].