Patch Applications & Operating Systems
Essential 8 Mitigation Strategies 2 & 3: (Patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services should be applied within two weeks of release, or within 48 hours if an exploit exists.)
Let’s delve into what this means.
What are patches?
Patches are fixes in software code that address security gaps, add new functionalities, or repair broken functionalities. These patches usually come in the form of an update (for instance; the notifications you’ve inevitably received for Windows 10, Adobe Reader or even your phone’s operating system).
Everyone dreads these updates, but it is vitally important we stay on top of patches to minimise security risks. Failing to update applications or software can cause critical issues in the integrity of your devices and computers, as these patches keep you one step ahead of attackers and their latest methods of exploitation. In fact, about 57% of data breaches are attributed to poor patch management.
As an enterprise or organisation, especially one with hundreds of employees and devices, managing patching can become a real pain. Unless you have implemented whitelisting or mobile device management, it can be difficult to keep track of every application, software, browser, and even plugin that has been installed on your systems.
You can send email blasts out to your users to remind them to update when a new patch comes out, but as mentioned, no one likes updating their devices, and many users may just put it on the backburner, which can cause serious gaps in your cyber security for attackers to exploit.
The best way to keep on top of patching yourself is to create a patch management plan and policy. To do this, you must first start with understanding the devices, operating systems, browsers, and third-party applications your users have installed on your network, and segment them into high and low risk categories.
Once you’ve done this, create a policy that establishes which applications will be patched and when, and under what conditions. For example, someone with admin privileges may need to patch their applications automatically, while those with restrictions are offered a more flexible timeframe. Another example is setting a 24–48-hour timeframe for OS updates but allowing a 1–2-week timeframe for browser or non-critical updates.
After you have your policy in place, follow up with audits to ensure your employees and end users are compliant, and review and optimise your policy to ensure you are following best practices.
Patch Apps & OS Maturity Level 1:
Requirement 1:
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services and operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
Requirement 2:
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, security products, and operating systems of workstations, servers and network devices are applied within one month of release.
Requirement 3:
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services and operating systems of internet-facing services.
Requirement 4:
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, security products, and operating systems of workstations, servers and network services.
Requirement 5:
Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, security products, and operating systems that are no longer supported by vendors are removed or replaced.
Don’t want to keep track of patches manually?
Luckily there is plenty of software or IT companies out there that can do the grunt of the work for you. By employing software vendors or MSPs, you can automate updates and patches to a granular level and set and forget it, revising occasionally to ensure patches are rolling out correctly.
