In this article, we’ll delve into the Essential Eight principle of ‘patch applications’. Simply put, patching refers to the process of updating software, akin to fixing a hole in a tyre. Software vendors regularly release patches to address known security vulnerabilities within their products. This aspect of the Essential Eight primarily addresses non-Microsoft software, which is covered separately within the framework.
For small businesses aiming to comply with the Essential Eight’s patch applications guideline, achieving ‘Maturity Level 1’ is essential. Detailed guidelines for reaching this level can be found by searching for the ‘Essential Eight Maturity Model’. Let’s examine the key requirements to gain a clearer understanding of what’s necessary.
• An automated vulnerability scanner should be employed daily to detect and scan for vulnerabilities.
• Critical vulnerabilities in installed software must be patched within 48 hours of detection.
• For non-critical vulnerabilities, patches should be applied within two weeks of their release.
• Software that is no longer supported must be removed from users’ devices.
It’s important to note that we’re discussing non-Microsoft products here, which includes browsers, PDF readers and other software installed on devices. When it comes to vulnerability scanners, there’s a wide range available, but many of them can be quite expensive for small businesses. Luckily, some commercial vulnerability scanners offer free plans for a limited number of devices.
Additionally, many antivirus/endpoint protection products now have built-in vulnerability scanners, some of which even offer automatic patching features. These can be invaluable tools in maintaining compliance and staying secure.
Popular products such as Chrome, Firefox, Adobe Reader and Foxit, among others, also offer automatic update settings that can keep the programs up to date. However, it’s crucial to ensure that this service is enabled and functioning properly.
Remote management and monitoring tools are gaining popularity, involving the installation of their management plugins on to devices. Here are some key features of RMM tools:
• Automatic patch management: You can schedule patches, prioritising critical updates within 48 hours and normal updates within a week.
• Device management: These tools provide insights into hardware stats, user disk space, error logs and even enable remote interactions with users via software such as TeamViewer.
However, RMM tools typically come with a monthly cost per device, and some have a minimum requirement of 20 devices. It’s crucial to conduct thorough research on these products, including any potential lock-in contracts.
Furthermore, it’s worth noting that some RMM tools have been breached in the past, allowing threat actors to distribute malware across all monitored devices. Therefore, when selecting a platform, thorough research is essential, and it’s important to understand that deploying software as a service could potentially introduce vulnerabilities into your network.
Lastly, there’s the traditional manual approach, which is undoubtedly the most challenging. Managing software across devices manually can be time-consuming. While not impossible, it requires allocating time each week to check each device. This task is relatively manageable with just one or two devices. However, as the number of devices increases, reaching 10 or more, the above suggestions become more suitable, particularly for larger businesses.
Patching isn’t limited to business devices; it’s crucial for home devices as well. This includes not only laptops and PCs but also phones, tablets, watches and even TVs. If we all adopt a consistent patching regimen, we can enhance the security of our devices online.
I trust you’ve found this information beneficial. Should you have any further inquiries or if any small business seeks advice, feel free to reach out. You can always contact me at askatech@mmg.com.au