THE BATTLEGROUND 

Infrastructure of a rural small business with VPN connections to remote customer sites.

THE PRESUMPTION 

WSUS automatically updates servers and workstations.

THE DISCOVERY 

Ops team was notified about CVE-2020-1350, which concerns a remotely exploitable bug in more or less all versions of Windows Server that attackers could use to install malicious software simply by sending a specially crafted DNS request. 

OUR SOLUTION  

Workstations are updated automatically, but servers download the updates and must be told to install and reboot/apply the patches. This, along with pre-patch backups, help decrease the chance of installing a faulty update to a critical system. We also use a Plan of Actions & Milestones (POA&M) to track and strategize a continuous, disciplined, and structured approach to tracking risk mitigation activities. The POA&M is created by using vulnerability scans produced by the SIEM and Tenable that covers an industry-leading 50,000+ vulnerabilities and covers more technologies to provide accurate scanning and minimal false-positives. These are then compiled in a month-over-month report that provides an exact insight into how these hazards are being handled.  

LESSONS LEARNED 

Never assume that updates are being installed. Always check, document, and track vulnerabilities to ensure your network is as secure as it can be.