What is Critical Software?

According to the National Institute of Standards and Technology (NIST):

critical software is defined as any software that has, or has direct software dependencies upon, one or
more components with at least one of these attributes:

 is designed to run with elevated privilege or manage privileges;

 has direct or privileged access to networking or computing resources;

 is designed to control access to data or operational technology;

 performs a function critical to trust; or,

 operates outside of normal trust boundaries with privileged access.

The definition applies to software of all forms (e.g., standalone software, software integral to specific
devices or hardware components, cloud-based software) purchased for, or deployed in, production
systems and used for operational purposes. These include software that manages server operations,
facilitates communication, and provides security, as well as any other software that directly impacts the
stability and performance of server-based applications or services.

Why these elements are important?

Elevated Privileges: Any software program running with elevated privileges is therefore of higher risk
because a compromise of this account means more potential damage and this is why it’s considered
critical software.

Direct or privileged access to network resources: Any software that has access to network resources
can be used as an entry point to compromise other parts of the network. That access essentially acts
as a doorway, allowing people entry into the company’s network if the software becomes
compromised.

Controls access to data or operational technology: Software that controls access to data or operations
technology has two main implications. Firstly, it can be used by hackers to gain access to company data
for exfiltration, encryption (ransomware), or to get access to other technology in the company.
Secondly, it can be used to cripple the business by making these resources unavailable.

Critical Trust: This topic deals with all of the software in your company that performs a security
function. If an attacker was able to compromise this software they can make your company
defenseless or at least create blind spots in your company’s defense that will allow them to get access
to your company network and go undetected indefinitely.

Operate outside of normal trust boundaries: Any software that is not subject to the normal trust
restrictions of your company and especially those with elevated privileges pose much more danger
than normal applications. This simply means these applications are not subject to the normal checks
and balances that other software is and therefore they need to be monitored and limited in use to
prevent potential security incidents.

How to protect Critical Software?

Below are the security measures:

SM-1: Protect EO-critical software and EO-critical software platforms from unauthorized access and
usage.

SM-2: Protect the confidentiality, integrity, and availability of data used by EO-critical software and EO-
critical software platforms.

SM-3: Identify and maintain EO-critical software platforms and the software deployed to those
platforms to protect the EO-critical software from exploitation.

SM-4: Quickly detect, respond to, and recover from threats and incidents involving EO-critical software
and EO-critical software platforms.

SM-5: Strengthen the understanding and performance of humans’ actions that foster the security of
EO-critical software and EO-critical software platforms.

Critical software categories

NIST has produced a table that spells out the specific categories of software used for security functions,
such as those affecting network control, endpoint security, and network protection. The preliminary
critical software categories in the table include:

 Identity, credential, and access management (ICAM)

 Operating systems, hypervisors, container environments

 Web browsers

 Endpoint security

 Network control

 Network protection

 Network monitoring and configuration

 Operational monitoring and analysis

 Remote scanning

 Remote access and configuration management

 Backup/recovery and remote storage

Importance of Timely Updates and Patches

One of the most critical reasons for regularly patching and updating software is to address
security vulnerabilities. Cybercriminals are always on the lookout for weaknesses in operating
systems and applications that they can exploit. Once these vulnerabilities are discovered,
attackers can gain unauthorized access to sensitive data, deploy malware, or even cause
significant disruption to business operations.

How Regular Software Updates Improve Security and Functionality

Regularly updating software is not just about enhancing security; it’s also about improving
overall system functionality. Software vendors frequently release updates that contain bug fixes,
performance enhancements, and new features, all of which contribute to a more efficient and
reliable system.

Moreover, software updates often address compatibility issues that arise when businesses use
multiple applications or integrate new hardware. Outdated software can create friction between
systems, leading to crashes or slow performance

Types of updates:

Security Patches (High Priority) - A security patch is a software update specifically designed to fix
vulnerabilities and flaws that could be exploited by hackers or malicious software.

Feature Updates (Optional) - These updates typically include new features, visual improvements,
and significant enhancements to improve the overall experience and security.

Bug Fixes (Medium Priority) - A bug fix is a change made to a system, software, or product to
correct a programming error or glitch, known as a “bug,” that causes the software to
malfunction.

Examples of security breaches due to missed updates:

Nearly 60% of data breaches in the past two years can be traced back to a missing operating
system patch or application patch, researchers report. Poor patch management can be linked to
the high costs of downtime and disruption, both of which are magnified in larger organizations
and are poised to escalate as businesses rush to support fully remote staff as COVID-19 spreads.

The stat comes from Automox, where a team polled 560 IT and security pros at companies with
500 to 25,000 employees. They learned 81% had suffered a breach in the past two years. Thirty-
six percent of those incidents stemmed from a phishing attack, which was the most common
root cause, followed by missing OS patch (30%), missing application patch (28%), OS
misconfiguration (27%), insider threat (26%), credential theft (22%), and brute force (17%).
 One in three IT professionals (34%) in Europe admitted that their organisation had been
breached as a result of an unpatched vulnerability (higher than the average of 27%) according to
a survey by security company Tripwire.

Just under half of companies said they aimed to deploy a security patch within a week, while over 90%
of companies said that they would generally fix a flaw within a month. But nearly half of companies said
they had to deal with less than 10 vulnerabilities a month; another 29% said they had 10-50 patches to
apply every month. Four out of five companies said they had stopped using a product because of a
vulnerability disclosure.

The WannaCry ransomware* attack was a major security incident that impacted organizations all over
the world. On May 12, 2017, the WannaCry ransomware worm spread to more than 200,000 computers
in over 150 countries. Notable victims included FedEx, Honda, Nissan, and the UK's National Health
Service (NHS), the latter of which was forced to divert some of its ambulances to alternate hospitals.

Conclusions:

Both Critical software and updates are essential to maintaining the security, functionality, and
performance of any system. As they are an integral part to ensure that no breaches and cyber risks
happens to protect data as well as the operations of systems and softwares.