What is Patch Operating Systems?

Patching operating systems is a fundamental cybersecurity practice that involves regularly updating system software to address security vulnerabilities, enhance functionality, and ensure compatibility with other software and hardware. This process is a critical component of the Australian Cyber Security Centre’s (ACSC) Essential Eight mitigation strategies, designed to protect organisations from cyber threats.

Assessment Guidlines

ISM Control Essential Eight Requirment Assessment Guidlines
ISM-1807 An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. Ask for a demonstration of the automated method of asset discovery being used to identify assets associated with the system, such as workstations, servers and network devices. This may be a dedicated asset discovery tool or it may be equivalent functionality built into a vulnerability scanner. In addition, request evidence of previous automated asset discovery scans and pay attention to the date/time stamp and their scope.

Note, while an automated method of asset discovery should be used at least fortnightly, system owners may elect to align the frequency of asset discovery scans to more frequent timeframes used for vulnerability scans (such as daily or weekly) in order to perform both activities at the same time for optimal effect.

Finally, in addition to identifying assets for follow-on vulnerability scanning activities, automated asset discovery can also be used to identify any unauthorised assets that may have been connected to the system between scheduled scans. If unknown assets are identified as part of asset discovery scans, they should be immediately investigated and treated as suspicious until confirmed otherwise.

ISM-1808 A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. Ask for a demonstration of a vulnerability scan. In addition, request evidence of the date/time stamp of when the vulnerability database used for the scan was last updated. Ideally, this should be within 24 hours of the vulnerability scan taking place.
ISM-1701 A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices. Ask for a demonstration of a vulnerability scan. In addition, request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs.

Request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs.

ISM-1702 A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices. Ask for a demonstration of a vulnerability scan. In addition, request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs.Request evidence of previous vulnerability scans and pay attention to the date/time stamp and scope of event logs.
ISM-1877 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. A network-based vulnerability scanner can be used to identify operating systems, their versions and install dates. This can then be reviewed alongside the release date of patches to determine whether patching timeframes have been met.

There are several free tools available to support the assessment of this control, including ASD’s E8MVT, Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to ensure it is fit-for-purpose.


If using Windows Server Update Services (WSUS) for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required).Request WMIC or PowerShell be used to generate a list of hotfixes and the date that they were applied to an operating system. This can then be compared to available patches for vulnerabilities that have been identified as critical by the vendor, or are currently being exploited, to determine whether all applicable hotfixes have been applied or not.

ISM-1694 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. A network-based vulnerability scanner can be used to identify operating systems, their versions and install dates. This can then be reviewed alongside the release date of patches to determine whether patching timeframes have been met.

There are several free tools available to support the assessment of this control, including ASD’s E8MVT, Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to ensure it is fit-for-purpose.


If using WSUS for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required).Request WMIC or PowerShell be used to generate a list of hotfixes and the date that they were applied to an operating system. This can then be compared to available patches for vulnerabilities to determine whether all applicable hotfixes have been applied or not.

ISM-1695 Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. A network-based vulnerability scanner can be used to identify operating systems, their versions and install dates. This can then be reviewed alongside the release date of patches to determine whether patching timeframes have been met.

There are several free tools available to support the assessment of this control, including ASD’s E8MVT, Nessus Essentials, Nexpose Community Edition, OpenVAS and Qualys Community Edition. There are also several paid tools available. In choosing a tool to use, make sure that it has been thoroughly tested beforehand to ensure it is fit-for-purpose.


If using WSUS for the assessment of this control, it is important to consider that WSUS does not necessarily report accurate patch levels. Specifically, WSUS has been known to report patches or updates that have been deployed but not whether they were successfully applied, are stuck or if the machine was rebooted (if required).Request WMIC or PowerShell be used to generate a list of hotfixes and the date that they were applied to an operating system. This can then be compared to available patches for vulnerabilities to determine whether all applicable hotfixes have been applied or not.

ISM-1501 Operating systems that are no longer supported by vendors are replaced. A vulnerability scanner can be used to identify operating system versions, which can then be checked against the list of supported operating systems from vendors.

For Microsoft Windows workstations and servers, the ‘winver’ command can be run to determine the version of an operating system. Request a screenshot of the output of running this command for workstations and servers (assuming a Standard Operating Environment [SOE] is used for workstations). The versions output can then be checked against Microsoft release information to determine whether the operating systems are still supported or not.

For Linux workstations and servers, the ‘cat /etc/os-release’ command can be run to determine the version of an operating system. Request a screenshot of the output of running this command for workstations and servers (assuming a SOE is used for workstations). The versions output can then be checked against release information for Linux distributions being used to determine whether they are still supported or not.

Benefits of Patching Operating Systems

Regularly patching operating systems is a cornerstone of maintaining robust cybersecurity. Timely patches address vulnerabilities that could otherwise be exploited by malicious actors, protecting sensitive organisational data and ensuring operational integrity. This practice aligns with key cybersecurity frameworks, such as the Australian Cyber Security Centre’s Essential Eight, which highlights the importance of mitigating security risks through prompt updates. Beyond security, patching can lead to improved system performance by resolving bugs and introducing enhancements, resulting in more stable and efficient IT environments.

Additionally, patching reinforces compliance with industry regulations and standards, which is critical for maintaining trust with stakeholders. Organisations that consistently update their systems demonstrate a proactive approach to managing risks, reducing the likelihood of costly breaches or penalties. By integrating patching as a regular aspect of system maintenance, organisations can safeguard their digital infrastructure while also boosting the reliability and longevity of their operational systems.

Challenges and Issues in Patching Operating Systems

Despite its importance, effective patch management is not without its challenges. The sheer volume of patches released for modern systems can overwhelm IT teams, making it difficult to prioritise and deploy updates in a timely manner. Compatibility issues are another major hurdle, as newly released patches may conflict with existing software, potentially causing disruptions to business-critical operations. These risks are compounded by resource limitations, such as a lack of skilled personnel or constrained budgets, which can delay the implementation of essential updates.

Balancing security needs with operational continuity adds further complexity to patch management. Uncoordinated or poorly timed updates can result in significant downtime, impacting productivity and revenue. Organisations also face the challenge of managing patches across diverse environments, such as hybrid cloud systems or geographically dispersed infrastructure, which increases the complexity of ensuring all assets are updated. Addressing these issues requires a structured approach to minimise risks and maximise security benefits.

Best Practices for Effective Patching

Implementing best practices can significantly enhance the efficiency and effectiveness of patch management. A comprehensive inventory of all IT assets is essential, ensuring that no systems are overlooked during updates. Monitoring for new vulnerabilities and tracking the release of relevant patches allows organisations to respond swiftly to emerging threats. By prioritising updates based on the severity of vulnerabilities and the criticality of affected systems, IT teams can allocate resources where they are needed most.

Testing patches in a controlled environment prior to deployment is another vital step, as it helps identify and mitigate potential issues before they impact production systems. Automating patch management processes, where feasible, can reduce manual effort and enhance consistency across large environments. Maintaining clear documentation and audit trails not only ensures accountability but also supports continuous improvement by identifying gaps or inefficiencies in the patching process. Together, these practices create a resilient framework for managing and mitigating risks associated with operating system vulnerabilities.

Conclusion

Patching operating systems is not merely a technical necessity but a strategic pillar of any robust cybersecurity framework. In today’s evolving threat landscape, where malicious actors continually exploit vulnerabilities to compromise systems, maintaining up-to-date operating systems is a non-negotiable aspect of organisational defence. It is a practice that directly contributes to reducing the attack surface, safeguarding sensitive information, ensuring operational continuity, and aligning with regulatory requirements.

Despite the challenges associated with patching—such as resource demands, potential compatibility issues, and the risk of downtime—the benefits far outweigh the obstacles. A proactive and well-structured patch management approach transforms these challenges into opportunities for improvement. For example, compatibility testing and structured deployment schedules not only prevent operational disruptions but also promote a culture of vigilance and preparedness.

The importance of patching is underscored by high-profile cyber incidents like the WannaCry ransomware attack, which exploited unpatched systems to devastating effect. Such examples highlight the critical role that timely and effective patching plays in averting catastrophic breaches. Furthermore, patching supports system stability and performance, ensuring that organisational infrastructure can meet the demands of modern business operations.

To achieve optimal results, organisations must implement best practices, including maintaining a clear inventory of systems, prioritising updates based on risk, testing patches in controlled environments, and scheduling regular maintenance. These measures ensure that patching becomes a seamless part of IT operations rather than a reactive or burdensome process.

Finally, fostering a culture that values cybersecurity is essential. Educating staff about the significance of patching not only ensures compliance with policies but also empowers individuals to contribute to the organisation’s broader security objectives. Patching, while often perceived as a behind-the-scenes activity, represents a shared responsibility and a visible commitment to organisational resilience.

In conclusion, patching operating systems is an indispensable component of the Essential Eight mitigation strategies, serving as a cornerstone of a comprehensive approach to cybersecurity. By embracing this practice with diligence and foresight, organisations can significantly mitigate risks, protect their assets, and build a foundation for long-term security and operational excellence. It is an investment in stability, trust, and the ability to navigate an increasingly complex digital environment with confidence.