The next mitigation strategy in the ACSC’s Essential Eight is Patch Applications. If there is a security vulnerability in an application used by an organisation, it can enable adversaries to execute malicious code, which can result in significant consequences for an organisation.
The ACSC defines a patch as “a piece of software designed to remedy security vulnerabilities or improve the usability or performance of software and ICT equipment” and a security vulnerability as a “flaw in an application or operating system rather than a misconfiguration or deployment flaw.”
As well as performing patching, it is also important to implement ongoing, regular vulnerability scans of the organisation’s assets to help identify instances where the patch strategy is failing.
It is important to note that there are several applications that the ACSC regard as critical for the Patch Application strategy including Adobe Flash, Web Browsers, Microsoft Office, Oracle Java and PDF Viewers.
Recommended timeframes for applying patches
When an exploit is active, it’s imperative organisations do not wait until their application updates on their own schedule and are proactive in applying patches in the shortest possible timeline. The ACSC recommends the following timeframes for applying patches to applications:
Basic cyber threats:
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
commonly-targeted applications: within one month
Moderate cyber threats:
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
commonly-targeted applications: within two weeks
-
other applications: within one month
Advanced cyber threats
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
commonly-targeted applications: within two weeks, or within 48 hours if an exploit exists
-
other applications: within one month
Recommended timeframes for vulnerability scanning
Vulnerability scanning provides organisations with the insight into the true patch status of their environment. They can be used to verify the application patching has been successful and the environment is no longer vulnerable as well as provide notice of newly discovered vulnerabilities in installed applications before an update is available from the vendor, allowing for alternate mitigations.
The ACSC recommends the following timeframes for conducting vulnerability scans:
Basic cyber threats:
-
internet-facing services: daily
-
commonly-targeted applications: fortnightly
-
other applications: as required
Moderate cyber threats:
-
internet-facing services: daily
-
commonly-targeted applications: weekly
-
other applications: fortnightly
Advanced cyber threats:
-
internet-facing services: daily
-
commonly-targeted applications: weekly
-
other applications: fortnightly
REMEDIATION STRATEGIES
When it comes to internet-facing services, including websites, VPN and Remote Desktop Services, organisations at all maturity levels need to ensure updates are applied within two weeks of release or 48 hours if an exploit exists, and vulnerability scanning is completed daily.
Maturity Level One
In addition to patching and scanning internet-facing servers, Maturity Level One organisations must patch vulnerabilities within one month of release and use a vulnerability scanner on a fortnightly basis on office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, or security products.
They also need to remove any applications on internet- facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, or security products on any assets that are no longer supported by the vendor.
Maturity Level Two
Maturity Level Two organisations expand their strategy to include all applications, ensuring patches, updates and vendor mitigations are applied within one month of release and vulnerability scanning occurs at least fortnightly. Vulnerability scanning of office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, or security products is increased to weekly, from fortnightly, at Maturity Level Two.
Maturity Level Three
At Maturity Level Three, organisations must mitigate detected vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, or security products within two weeks of detection, instead of one month at Level Two, and within 48 hours if an exploit exists. Level Three organisations must also remove any application that is no longer supported by the vendor.