Operating Systems are highly complex. Windows, macOS and Linux contain millions of lines of code, thousands of packages, and hundreds of services. Mistakes made by developers in any component can have disastrous consequences. To correct those mistakes, organisations need to implement the Patch Operating Systems mitigation strategy, designed to mitigate security vulnerabilities in operating systems of internet-facing services, workstations, servers, and networking devices in a timely fashion.
As with the Patch Applications mitigation strategy, there are two main activities associated with patching operating systems – performing the patch, and implementing ongoing, regular vulnerability scans of an organisation’s assets to help identify instances where the patch strategy is failing.
It’s important to note that no organisation should make use of an operating system that is no longer supported by the vendor. Continued use of End-of-Life operating systems can negate almost every other defence that an organisation might put in place.
Recommended timeframes for applying patches
The ACSC recommends the following timeframes for applying patches to operating systems:
Basic cyber threats
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
workstations, servers, network devices and other network-connected devices: within one month
Moderate cyber threats:
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
workstations, servers, network devices and other network-connected devices: within two weeks
Advanced cyber threats:
-
internet-facing services: within two weeks, or within 48 hours if an exploit exists
-
workstations, servers, network devices and other network-connected devices: within two weeks, or within 48 hours if an exploit exists
Recommended timeframes for vulnerability scanning
The ACSC recommends the following timeframes for conducting vulnerability scans for missing operating system patches:
Basic cyber threats
-
internet-facing services: daily
-
workstations, servers, network devices and other network-connected devices: fortnightly
-
Moderate cyber threats
-
internet-facing services: daily
-
workstations, servers, network devices and other network-connected devices: weekly
-
-
Advanced cyber threats
-
internet-facing services: daily
-
workstations, servers, network devices and other network-related devices: weekly
-
REMEDIATION STRATEGIES
Organisations at any maturity level need to ensure updates for operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists and remove all operating systems that are no longer supported by the vendor.
Maturity Level One
Organisations need to establish a central policy to control the patching of operating systems, such as configuring Update Ring settings for Windows 10 in Microsoft 365 Endpoint Manager to ensure that patches are installed at least monthly. Networking devices should also be manually or automatically patched monthly.
Organisations should utilise an external vulnerability scan of internet-facing services at least daily, fortnightly for workstations, servers and network devices. Organisations must also ensure that alerting is established, and alerts are actioned.
All operating systems, network infrastructure operating systems/firmware, and other device operating systems should be decommissioned when they are no longer supported by the vendor.
Maturity Level Two
Maturity Level Two organisations update their patch schedule, either manually or automatically, so that operating system patches are routinely applied within two weeks of release for workstations, servers and network devices and increase vulnerability scanning of these systems to weekly.
Maturity Level Three
At Maturity Level Three, organisations expand their strategy to patch all devices within 48 hours if an exploit exists. They also ensure that devices (including computers, servers, network infrastructure) are running the latest release or the previous release of operating systems, rather than just any supported edition, upgrading or decommissioning devices that do not meet this standard must occur.
Organisations need to ensure that adequate monitoring of operating system versions and upcoming releases
is conducted, with associated adequate planning to perform upgrades before older versions are deprecated.