Call: 1300 422 542

Calibre 1 Essential 8 Series: Patch Operating Systems Maturity 1

Calibre 1 Essential 8 Series: Patch Operating Systems Maturity 1

This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.

 

Previous Blogs in the Series

Backups

MultiFactor Authentication (MFA) Maturity 1

MultiFactor Authentication (MFA) Maturity 2

MultiFactor Authentication (MFA) Maturity 3

 

Introduction

Ah patching, the 3 things in life that are certain, Patches, Death and Taxes. This tenet of the Essential 8 is designed to bring about rapid rollout of available patches primarily categorised through the CVSS Score, with a vested interest in addressing Known Exploited Vulnerabilities (KEV).  Many widespread vulnerabilities in the wild come from unpatched vulnerabilities that have had fixes available for months or even years!!  patching is a double-edged sword, each patch typically resolves several issues – however depending on the severity of the issues the patch is trying to resolve, can cause downtime beyond the scope of the patch itself.  So, let’s take dive in.

 

The Maturity model is made up of 6 things, and really boils down to, just 3 things: Patch Rapidly, Scan for Vulnerabilities daily, and upgrade legacy operating systems (e.g., Server 2008, Windows 7, Exchange 2010) as a priority.

 

Patching

Patching is encouraged to be undertaken rapidly (48 hours) where a server is facing the internet or known to be exploited, and within 2 weeks (maturity 3) or within the month (maturity 1) for other systems, this should be scheduled to minimise interruption to staff.

 

It is encouraged that this is taken on using a patch management system that can audit said patches and approve or deny them as required.  Calibre One are happy to assist with our internal RMM tools, or alternatively this can be set up via Microsoft Azure (Costs Cents), working for both cloud and On-Premises Windows and Linux systems.  Finally, we can manage this through Windows Server Update Services (Free but Limited to Windows Servers and Desktops).

 

For Networking, Calibre One offer our Next Gen Firewall Service which will centrally log and monitor for signs of compromise and enable us to monitor and patch your systems as required.

 

Vulnerability Scanning

Vulnerability scanning can be undertaken from several different systems, however the best encompassing solution would be to address this through the same patching agent in Azure, for a small licensing uplift, operating systems can be scanned using the inbuilt Qualys Vulnerability scanner, Upgrade the Antivirus Product to Microsoft Defender P2 (Endpoint Detect and Respond) and rollout the Azure Monitoring Agent, Defender P2 Agent and Azure monitoring agent.  Other players to consider in this space would be Tenable.Io (Cloud Service), Rapid7 (Cloud), and Greenbone OpenVAS (Free).

 

The scanner needs to be able to facilitate daily scanning of internet facing services, and weekly (Maturity 2 & 3) or fortnightly scans (Maturity 1) for other workstations and servers.

 

Upgrade Legacy Operating Systems

Finally Replace Operating systems that are no longer supported by the vendor (Maturity 1) and run the latest operating system or the previous release (Maturity 3) for servers (e.g. Server 2022, Server 2019, workstations (e.g. Windows 11, Windows 10) and network devices (e.g. FortiOS 7.0.X, FortiOS, 6.4.X).  The simplest way to look at this, would be last 2 Major, last 2 minor releases at the time of writing:

  • Windows Server 2022 20H2, Server 2019 20H2, Server 2019 2004
  • Windows 11 21H2, Windows 10 21H2, Windows 10 21H1
  • FortiOS, that would be 7.0.3, 7.0.2, 6.4.8 and 6.4.7.

 

References

https://www.cyber.gov.au/acsc/view-all-content/publications/assessing-security-vulnerabilities-and-applying-patches

https://www.microsoft.com/en-au/business/topic/security/essential-eight/patching-operating-systems-applications/

https://docs.microsoft.com/en-us/windows/release-health/windows-server-release-info

https://docs.microsoft.com/en-au/azure/automation/update-management/overview?context=/azure/virtual-machines/context/context

https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

https://calibreone.com.au/wp-content/uploads/2021/02/Specific-Service-Terms-NGFW-Service.pdf

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-worldwide

https://www.tenable.com/products/tenable-io

https://openvas.org

https://www.rapid7.com/products/insightvm/

Share This Post
Subscribe To Our Newsletter
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

More To Explore

In The Media

2 Great Companies Come Together

A sign of further consolidation in the Australian ICT channel as Brisbane’s Azentro buys Adelaide’s Calibre One. The enlarged group, with combined sales of $A35m

Read More »

Find out what our team can do for your business.

Let us know how we can help

Contact Us
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.