Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 2: Patch Applications

What is Patch Applications?

Now that we have cut down the number of applications that can be installed and removed those that should not have belonged there in the first place, we can now look at patching or keeping those applications up to date.

Every day, more and more vulnerabilities and zero-day vulnerabilities are being discovered in applications. You can see this trend in the chart below or from NIST CVSS data. With agile software development now commonplace in software houses, applications are being updated much faster. These upgrades include not only new features but also security fixes.

Application vulnerabilities increase your attack surface, leaving you open to exploitation. Some vulnerabilities are low, whilst others are critical and should be attended to before they are exploited. Vulnerabilities with known exploits definitely should be prioritised. CVSS’s or similar vulnerability scoring systems are your friend.

Patching applications is upgrading applications to the latest stable release will prevent attacks by reducing the number of vulnerabilities.

Why is Patching Applications important?

If you have been following the series, we take a human-centric view to implementing Essential 8 by empathising with our users.

👩‍💼Business user

• I want to have the latest features to allow me to be more productive
• I want stability in my applications to deliver work
• I don’t want any downtime, as I have deadlines to meet
• I have no idea what a vulnerability is
• I thought that updates were for new features
• I don’t want updates to interrupt my workflow; I have urgent deadlines
• I don’t know how to patch applications

✅Risk managers

• I want all applications to be patched, starting with critical and high vulnerabilities
• For the remaining applications, I want to understand the risk we are carrying by having them
• Application patching should be performed quickly to minimise risks

👩‍💻IT users

• I want to update all applications, but some releases are dodgy and need to be tested first
• There are so many updates. How can I patch them all?
• Some updates break things. I wonder if I should update them
• There are so many legacy applications and even end-of-life applications. How can we upgrade these?
• I want to patch applications, but I have no time to do it
• There are more applications every year. How can I manage them?

😈Threat actors

• I constantly scan organisations to see what application vulnerabilities I can exploit
• I focus on high-return application vulnerabilities first, where I can do the most damage and make the most money
• I find many organisations using old versions of applications and target those
• I purchase ready-made tools to exploit vulnerabilities

Maturity Level 1: Patch Applications

An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.

Asset discovery is the core of managing your IT assets, yet most companies still don’t get it right. How can we protect our assets when we don’t know what we are protecting? Asset discovery helps us understand today’s environment and gives us a baseline to start planning where we are going.

To meet this requirement, ensure your asset discovery or vulnerability management tool can scan your workstations, servers, and network devices to identify vulnerabilities.

A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.

If we look at the above NIST chart of CVEs per annum, in 2021, there were about 20,000 CVE’s which is approximately 55 vulnerabilities per day. Some of those would be operating system vulnerabilities, but you get the idea. There are many new vulnerabilities daily, not to mention changes in scores when known exploits are found.

Therefore, your vulnerability scanner should be kept up to date. In addition, essential 8 recommends that your vulnerability database be updated within 24 hours of the scan taking place.

A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.

As mentioned, there are many changes in vulnerabilities, from new ones to updates to scores on existing vulnerabilities. Nevertheless, security researchers are hard at work, so we should utilise their efforts to help our community stay safe and secure.

This requirement at maturity level 1 applies only to internet-facing servers. These servers are open to the public, which means even if you are not scanning your internet-facing services threat, actors may already be scanning you to find holes in your security.

Scan them daily and identify any missing patches or updates. In addition, assessors will look for scan dates on internet-facing servers, so ensure they are recorded.

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.

Why target office productivity suites, web browsers and their extensions, email clients, PDF software and security products? These are the most commonly used applications in the business world. Look at Chrome; there were 3.2 billion users in 2021, one of the most used applications in the world. In 2022 alone, 8 zero-day Chrome vulnerabilities were discovered, not to mention McAfee detected malicious Chrome extensions impacting 1.4 million users.

Security products may not be used by business users every day, but ask yourself this, what is the point of having a security product with a known vulnerability?

Making sure these common application vulnerabilities are known and prioritised for patching can quickly prevent bad actors from getting into your systems.

Scan these common applications and tools fortnightly and ensure you keep a log of scans; the scope includes these popular applications.

Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.

Having a vulnerability means leaving the door open to an attack. A vulnerability with a known exploit significantly increases the chance of an attack. Known exploits could have readymade tools available on the dark market that threat actors can purchase and exploit.

Our friends at the ACSC know this, so they have added that all internet-facing services must be patched within 2 weeks or 48 hours where a known exploit exists. Close the door before attackers have any chance of getting into your environment.

Assessors will be checking your internet-facing services, their versions and install dates.

Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.

Your common applications, as opposed to public internet-facing services, may be more difficult to penetrate.

At maturity level 1, the ACSC only requires you to update these applications within one month. Too lenient if you ask me, but then again, we are at maturity level 1, which is designed to defend against opportunistic threat actors.

Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

Anything that is end-of-life will not get security updates. Vendors may no longer support it, but organisations may still be using it, and threat actors know this. So if it is end-of-life, it should be removed. Easier said than done, sometimes it’s these can be difficult to upgrade, especially end-of-life security products which are deeply tied into all systems and is a project in itself to upgrade.

This requirement adds to the previous requirement to clearly warn that if it cannot be upgraded, it should be removed.

Maturity Level 2: Patch Applications

A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.

At maturity level 2 scanners need to run weekly on commonly used applications instead of fortnightly at maturity level 1.

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.

This requirement is a new at maturity level 2. The Essential 8 now requires us to not just scan commonly used business applications but all other applications. The requirement here is to scan fortnightly.

Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.

Another increase in frequency, this time for patching. At maturity level 2, patching commonly used applications must be completed within two weeks instead of monthly at maturity level 1.

Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release.

This requirement compliments the new fortnightly scan for other applications requiring these applications to be patched or mitigated within one month of release.

Maturity Level 3: Patch Applications

Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release, or within 48 hours if an exploit exists.

At maturity level 3, patching common applications with know exploits is now required within 48 hours.

Applications that are no longer supported by vendors are removed.

Pretty clear here that unsupported applications should be removed.

Concluding Patch Applications

Before you start patching, you need to know what to patch.

To know where you are, vulnerability scanning tools should be used to understand and prioritise your scans. But, of course, before you scan, you also need to make sure your vulnerability database is up to date. No point in scanning where it is not up to date.

Once you have a baseline, it’s time to prioritise. Vulnerability scanning tools typically have scores that can help you prioritise your patching activity. Essential 8 is pretty clear on what applications are more susceptible to attacks starting with internet-facing servers, commonly used applications, followed by normal applications. If you have a vulnerability management team, this is where they can help you shine.

Now for the difficult part, the actual patching. If you are starting your Essential 8 journey, patching can be a long and painful process to get things up to scratch. As you progress through maturity levels, though, both scanning and patching become more regular and routine.

Don’t forget. You will need exceptional communications and change management in your organisation as patching applications do not always go to plan and can result in business impact. Follow a test-and-learn approach and roll out slowly to minimise the impact where possible.

Where to Next?

Keep your organisation’s applications up to date! Accelerate your Essential 8 program and reach out to a CyberOxide Specialist to help uplift and assess your Essential 8 Mitigation Strategy 2: Application Patching maturity levels.

Continue learning about Essential 8 with our next article on Essential 8 Mitigation Strategy 3: Configure Microsoft Macros.

Continue with our Essential 8 series

Overview:

• Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

1. Application Control
2. Patch Applications
3. Configure Microsoft Macros
4. User Application Hardening
5. Restrict Admin Privileges
6. Patch Operating Systems
7. Multifactor Authentication
8. Regular Backups

Adoption:

• Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.