"Hi, my name is Michael, and I'm a Cyber Security Consultant here at AC3.
Next up in our Essential Eight overview, I'm going to cover patching operating systems.
Patching operating systems focuses on mitigating security vulnerabilities in operating systems of internet-facing services, workstations, servers, and networking devices.
As with patching applications, there are two main activities associated with this strategy. The first is obvious, which is performing the patching. The second is to implement ongoing, regular vulnerability scans of the organisation's assets. This helps identify instances where the patch strategy is failing or where assets may not be receiving patches for some reason.
At all maturity levels, patches, updates, or alternate mitigations for operating systems of internet-facing services need to be applied within two weeks of release or within 48 hours if an exploit exists.
Similarly, operating systems that are no longer supported by the vendors must be replaced at all maturity levels.
And Maturity Level One, patches, updates, or alternate mitigations for workstations and server operating systems need to be installed within one month. A vulnerability scanner needs to be used at least daily for all levels of maturity to identify missing patches and updates in the operating systems of internet-facing services.
For workstations, servers, and network devices, a vulnerability scan needs to be used at least fortnightly for Level One and weekly for Level Two and Three.
If you would like guidance on which maturity level is right for your organisation or how effective your current mitigation strategies are, please reach out to the team. We'd love to help."
AC3's Essential Eight Security Control Assessment can benchmark your current strategies against the ACSC's Essential Eight maturity models. Find out more here.