What is Patch Applications?
Patch Applications refers to the process of updating software applications to fix vulnerabilities, enhance functionality, and improve performance. These updates, known as patches, address security flaws, compatibility issues, and bugs identified in existing software. As part of the Australian Cyber Security Centre (ACSC) Essential Eight framework, patching applications is critical for safeguarding organisational systems against cyber threats. Regular and timely patching ensures that vulnerabilities cannot be exploited by malicious actors, thereby fortifying an organisation’s security posture.
Assessment Guidlines
| ISM Control | Essential Eight Requirment | Assessment Guidlines |
|---|---|---|
| ISM-1807 | An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. | Ask for a demonstration of the automated method of asset discovery being used to identify assets associated with the system, such as workstations, servers and network devices. This may be a dedicated asset discovery tool or it may be equivalent functionality built into a vulnerability scanner. In addition, request evidence of previous automated asset discovery scans and pay attention to the date/time stamp and their scope.
Note, while an automated method of asset discovery should be used at least fortnightly, system owners may elect to align the frequency of asset discovery scans to more frequent timeframes used for vulnerability scans (such as daily or weekly) in order to perform both activities at the same time for optimal effect. Finally, in addition to identifying assets for follow-on vulnerability scanning activities, automated asset discovery can also be used to identify any unauthorised assets that may have been connected to the system between scheduled scans. If unknown assets are identified as part of asset discovery scans, they should be immediately investigated and treated as suspicious until confirmed otherwise. |
| ISM-1808 | A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | Ask for a demonstration of a vulnerability scan. In addition, request evidence of the date/time stamp of when the vulnerability database used for the scan was last updated. Ideally, this should be within 24 hours of the vulnerability scan taking place. |
| ISM-1698 | A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services. | Ask for a demonstration of a vulnerability scan. In addition, request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs. Check whether the list of scanned online services matches the list of online services that are known to be used.
Request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs. Check whether the list of scanned online services matches the list of online services that are known to be used. |
| ISM-1699 | A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. | Ask for a demonstration of a vulnerability scan. In addition, request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs. Check whether the list of scanned applications includes the list of applications that should have been scanned.
Request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs. Check whether the list of scanned applications includes the list of applications that should have been scanned. |
| ISM-1876 | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | A network-based vulnerability scanner can be used to identify online services, their versions and install dates. This can then be reviewed alongside the release date of patches to determine whether patching timeframes have been met.
There are several free tools available to support the assessment of this control, including ASD’s Essential Eight Maturity Verification Tool (E8MVT), Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to ensure it is fit-for-purpose. Note, a scanner may not identify missing vendor mitigations such as configuration changes. If a network-based vulnerability scanner cannot be used, screenshots of versions for online services can be requested. This allows for manual checking against the latest versions available from vendors. Alternatively, a list of online services may be requested (noting that malicious actors often exploit vulnerabilities in online services that the system owner may have forgotten about or have been installed without the system owner’s knowledge). |
| ISM-1690 | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. | A network-based vulnerability scanner can be used to identify online services, their versions and install dates. This can then be reviewed alongside the release date of patches to determine whether patching timeframes have been met.
There are several free tools available to support the assessment of this control, including ASD’s E8MVT, Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to ensure it is fit-for-purpose. Note, a scanner may not identify missing vendor mitigations such as configuration changes. If a network-based vulnerability scanner cannot be used, screenshots of versions for online services can be requested. This allows for manual checking against the latest versions available from vendors. Alternatively, a list of online services may be requested (noting that malicious actors often exploit vulnerabilities in online services that the system owner may have forgotten about or that were installed without their knowledge). |
| ISM-1691 | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release. | A vulnerability scanner can be used to assess applications, their versions and install dates.
The above output should be reviewed alongside the release date for each application to determine whether patching timeframes have been met. Alternatively, PowerShell can be used to identify applications with registered uninstall functionality. However, this method alone will not always cover all applications that are installed on a system. As a result, it should be combined with the list of installed applications within ‘Programs and Features’. While this approach can be used for assessments, limitations in coverage should be noted. For key applications though, it will likely be sufficient. If any key applications appear to be missing in reports provided, this should be raised for clarification. Below is a PowerShell script to output a list of installed applications with registered uninstall functionality. This list should be reviewed in conjunction with the list of installed applications within ‘Programs and Features’ to ensure no applications are missed. |
| ISM-1905 | Online services that are no longer supported by vendors are removed. | A vulnerability scanner can be used to assess online services and whether they are end of life.
Request a demonstration that shows the versions of online service being used. This allows for manual checking against a list of supported versions. |
| ISM-1704 | Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. | A vulnerability scanner can be used to assess applications and whether they are end of life.
Request a demonstration that shows the versions of applications being used. This allows for manual checking against a list of supported versions. In addition, check if hotfix KB4577586 has been applied to demonstrate that Adobe Flash Player is no longer supported. Note, this hotfix will only remove Adobe Flash Player if it was installed by Microsoft Windows. If Adobe Flash Player was installed manually from another source, it will not be removed by this hotfix. |
Benefits of Patching Applications
Patching applications offers several benefits that contribute to the overall security and efficiency of organisational systems. Enhanced security is one of the primary advantages, as timely patches address known vulnerabilities, reducing the risk of exploitation and preventing potential breaches. Additionally, many patches include optimisations that enhance the functionality and efficiency of applications, leading to improved performance. Adhering to patching requirements also helps organisations meet compliance obligations, such as those outlined in the ACSC Essential Eight framework. Proactively addressing software issues through patching minimises unplanned downtime and helps maintain business continuity. Furthermore, demonstrating a commitment to security through regular patching builds confidence among stakeholders and clients, enhancing customer trust.
Challenges and Issues in Patching Applications
Despite its importance, patching applications can pose several challenges. Organisations often operate diverse IT environments with numerous applications, making it difficult to manage patches consistently. Some patches may conflict with existing systems or software, leading to unexpected errors or downtime. Small to medium-sized organisations may face additional difficulties due to limited IT resources needed for timely patching. Deploying patches without proper testing can introduce new vulnerabilities or disrupt critical systems, further complicating the process. Determining which patches to apply first can also be challenging, particularly when multiple updates are released simultaneously.
Best Practices for Effective Patching
To overcome these challenges, organisations should adopt effective strategies. Maintaining an up-to-date inventory of all applications and their current patch levels is essential for identifying gaps. Establishing clear policies for assessing, testing, and deploying patches within specified timeframes ensures consistency and accountability. Prioritising critical updates that address high-risk vulnerabilities or impact crucial systems is another key practice. Testing patches in a staging environment before deploying them to production systems helps ensure compatibility and reliability. Leveraging automated tools can streamline the patching process and reduce manual effort, while continuous monitoring and regular reviews of patch management processes ensure ongoing effectiveness.
Conclusion
Patching applications is an essential component of a robust cybersecurity strategy and a key requirement of the ACSC Essential Eight framework. By addressing vulnerabilities and maintaining up-to-date systems, organisations can significantly reduce their exposure to cyber threats. While challenges in patching applications exist, adopting best practices and leveraging automation can streamline the process, ensuring that security and operational integrity remain uncompromised.
Beyond the immediate technical benefits, patching applications plays a broader role in fostering a culture of proactive security within an organisation. Regular patching demonstrates a commitment to safeguarding not just internal systems but also the sensitive data of customers and stakeholders. This commitment helps build and sustain trust, a crucial factor in maintaining a strong reputation in the digital age. Additionally, consistent patch management contributes to operational stability, enabling organisations to focus resources on innovation and growth rather than damage control after a breach.
In an era where cyber threats are increasingly sophisticated, the importance of patching applications cannot be overstated. It is not merely a technical requirement but a strategic investment in resilience, efficiency, and trustworthiness. Organisations that prioritise patching are better positioned to navigate the complexities of today’s digital landscape while securing their future in an interconnected world. By embedding robust patch management practices into their operations, they can turn a traditionally reactive process into a cornerstone of their overall cybersecurity strategy.