Implementing the ACSC Essential 8 Maturity Model. Mitigation Strategy 6 - Patch Operating Systems

What is Patch Operating Systems?

Have you heard of Patch Tuesday? Or it might be Wednesdays for us Australians, given the time zone differences with the US. Microsoft is constantly patching Windows operating systems these days. As the leading operating system for organisations worldwide, Microsoft Windows and Windows Servers are key targets for cybercriminals. Vulnerabilities are discovered frequently, studied by Microsoft’s research teams, and regularly patched. Like application patches, operating system patches contain both feature and security updates. You are likely also using other operating systems such as MacOS, Android, iOS, Linux and Windows servers. These all need to be patched to stay secure.

While zero days are all the rage, cybercriminals do not usually target these. Organisations carry many business-critical yet legacy and end-of-life operating systems that are no longer supported. Upgrading operating systems without any business disruption are easier said than done. Therefore, operating system vulnerabilities become easy targets for cybercriminals.

Why is Patching Operating Systems important?

Before we start patching our operating systems, we must understand our users.

👩‍💼Business users

• I want to do my work with minimal disruptions
• I want to use the latest features
• I don’t want to upgrade in case things break
• I don’t like when it auto upgrades in the middle of my meetings
• I didn’t know updates include security fixes
• The latest version crashes

✅Risk managers

• I don’t want to have risks on our systems
• We should upgrade as soon as possible to minimise the risk

👩‍💻IT users

• We have end of life OS on hundreds of servers, the time it takes upgrade them is significant
• We operate and manage thousands of workstations and servers currently
• We don’t have a vulnerability management program, it’s just ad hoc
• We don’t have the capacity to constantly patch operating systems
• I don’t want to cause impact to businesses operations, it might come back to bite us

😈Threat actors

• I want to find easy to exploit operating system vulnerabilities where I can do the most damage and make the most returns
• I know companies are bad at patching operating systems and still use end of life products
• I want to use ready-made tools for exploits where they are available to save me time and money

Maturity Level 1: Patch Operating Systems

An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.

Essential 8 takes a similar approach to patch operating systems as Mitigation Strategy 2: Patching Applications. More often than not, asset and vulnerability scanners can scan applications and operating systems together so the same tools can be utilised.

Like patching applications, patching operating systems starts with identifying your assets. If you don’t know what you are protecting, how can you protect them in the first place?

Use an asset discovery or vulnerability scanning tool to get visibility on your IT assets.

A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.

New vulnerabilities or zero days are found daily. Therefore, vulnerability databases should be updated regularly to make sure scans are up to date. If you are using a good vulnerability scanner, it should be up to date, but it is worth checking that it is up to date 24 hours before you start your scans.

Assessors will check the vulnerability database date vs the scan date.

A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.

As we learned in Mitigation Strategy 2: Patching Applications, approximately 55 new vulnerabilities are found daily. That’s not to mention updates to current vulnerabilities. 

Essential 8 has identified that operating systems on internet-facing servers are most likely to be attacked by opportunistic adversaries at Maturity Level 1. Therefore, these operating systems should be scanned daily.

Scan your internet-facing server operating systems across the IT assets you have discovered in the first requirement daily.

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.

Endpoints that are within your environment which are not internet facing do not need to be scanned as frequently as they are likely to sit behind another system, making them more difficult for adversaries to get to.

Two weeks is risky. In the hybrid working environment, we live in today, where the traditional network perimeter has evaporated, relying on the assumption that endpoints are configured correctly is a big one. For Maturity Level 1, though, the ACSC has found it to be sufficient.

Use your favourite vulnerability scanning tool on your workstations, servers, and network devices fortnightly for operating system updates across IT assets you have identified.

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.

It’s great that we have scanned our operating systems and identified vulnerabilities.

Now for the hard part, applying patches to internet-facing services within two weeks of release or within 48 hours if an exploit exists. Unfortunately, we have seen organisations with decades-old operating systems still providing the core capability. Therefore, while this requirement is excellent for new organisations that keep their operating systems up to date, for others, it could be a whole project to upgrade servers before meeting this requirement and moving onto Maturity Level 2.

If it is not already, get your operating system patches in order. Put together a patch management team if you don’t already have one. This requirement will only get more complicated at Maturity Levels 2 and 3 as patches must be applied with increasing regularity.

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.

While the requirement for scanning is fortnightly, you have one month to make operating system updates to workstations, servers, and network devices. Again, the ACSC relies on these devices sitting behind a firewall; hence the requirement for the update is quite long at 1 month.

The other thing to consider with operating system patching is that they can be volatile and have bugs. Therefore, testing and having a rollout plan before each release is essential.

Have your patch management team update or create patch management processes.

Operating systems that are no longer supported by vendors are replaced.

Unlike patching applications, if the operating system is no longer supported, it must be removed to achieve Maturity Level 1. We can infer that the ACSC considers unsupported operating systems a higher risk than unsupported non-internet-facing applications and does not need to be removed until Maturity Level 3.

Some environments we have had the pleasure to work with have Windows Servers from the early 2000s, which are now end-of-life if you have any of these, review and replace them immediately.

Maturity Level 2: Patch Operating Systems

A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.

Much like Mitigation Strategy 2: Patch Applications, Essential 8 requires that vulnerability scans are completed more frequently.

Operating system patches and updates scan requirement moves from fortnightly at Maturity Level 1 to at least weekly for Maturity Level 2.

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.

As the requirement for scanning has increased, the requirement for patching at Maturity Level 2 has also increased.

It is now required that patches be applied within two weeks of a release. This is half the time required at Maturity Level 1.

Maturity Level 3: Patch Operating Systems

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists.

At Maturity Level 2, we are already scanning our assets weekly. There is no additional Essential 8 requirement to perform vulnerability scans more frequently.

However, patches do need to be implemented with more expediency. At Maturity Level 3, Essential 8 requires patches to be updated with 48 hours where a known exploit exists.

The latest release, or the previous release, of operating systems are used.

Some older versions of operating systems may still be used and supported by vendors. However, Essential 8 requires that we only use the last two releases, the most recent operating system.

It’s an ongoing theme. Keep your operating systems updated to stay secure.

Concluding Patch Operating Systems

With the constantly evolving threat landscape and the ever-increasing number of vulnerabilities and exploits found, it is good hygiene and common sense to keep operating systems updated.

Mitigation Strategy 6: Patch Operating Systems and Mitigation Strategy 2: Patch Applications have many synergies. They require identifying your assets, keeping your vulnerability databases updated, scanning your assets for updates and updating them with increasing frequency at each Maturity Level. Therefore, these two Mitigation Strategies can be tackled together.

Pick an asset management and vulnerability scanning tool, define your scope, and start scanning and patching your operating systems.

Where to Next?

Patch your organisation’s Operating Systems! Accelerate your Essential 8 program and reach out to a CyberOxide Specialist to help uplift and assess your Essential 8 Mitigation Strategy 6: Patch Operating Systems.

Continue learning about Essential 8 with our next article on Essential 8 Mitigation Strategy 7: Multifactor Authentication.

Continue with our Essential 8 series

Overview:

• Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

1. Application Control
2. Patch Applications
3. Configure Microsoft Macros
4. User Application Hardening
5. Restrict Admin Privileges
6. Patch Operating Systems
7. Multifactor Authentication
8. Regular Backups

Adoption:

• Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.