Calibre 1 Essential 8 Series: Patch Operating Systems Maturity 1
This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.
Previous Blogs in the Series
Backups
MultiFactor Authentication (MFA) Maturity 1
MultiFactor Authentication (MFA) Maturity 2
MultiFactor Authentication (MFA) Maturity 3
Introduction
Ah patching, the 3 things in life that are certain, Patches, Death and Taxes. This tenet of the Essential 8 is designed to bring about rapid rollout of available patches primarily categorised through the CVSS Score, with a vested interest in addressing Known Exploited Vulnerabilities (KEV). Many widespread vulnerabilities in the wild come from unpatched vulnerabilities that have had fixes available for months or even years!! patching is a double-edged sword, each patch typically resolves several issues – however depending on the severity of the issues the patch is trying to resolve, can cause downtime beyond the scope of the patch itself. So, let’s take dive in.
The Maturity model is made up of 6 things, and really boils down to, just 3 things: Patch Rapidly, Scan for Vulnerabilities daily, and upgrade legacy operating systems (e.g., Server 2008, Windows 7, Exchange 2010) as a priority.
Patching
Patching is encouraged to be undertaken rapidly (48 hours) where a server is facing the internet or known to be exploited, and within 2 weeks (maturity 3) or within the month (maturity 1) for other systems, this should be scheduled to minimise interruption to staff.
It is encouraged that this is taken on using a patch management system that can audit said patches and approve or deny them as required. Calibre One are happy to assist with our internal RMM tools, or alternatively this can be set up via Microsoft Azure (Costs Cents), working for both cloud and On-Premises Windows and Linux systems. Finally, we can manage this through Windows Server Update Services (Free but Limited to Windows Servers and Desktops).
For Networking, Calibre One offer our Next Gen Firewall Service which will centrally log and monitor for signs of compromise and enable us to monitor and patch your systems as required.
Vulnerability Scanning
Vulnerability scanning can be undertaken from several different systems, however the best encompassing solution would be to address this through the same patching agent in Azure, for a small licensing uplift, operating systems can be scanned using the inbuilt Qualys Vulnerability scanner, Upgrade the Antivirus Product to Microsoft Defender P2 (Endpoint Detect and Respond) and rollout the Azure Monitoring Agent, Defender P2 Agent and Azure monitoring agent. Other players to consider in this space would be Tenable.Io (Cloud Service), Rapid7 (Cloud), and Greenbone OpenVAS (Free).
The scanner needs to be able to facilitate daily scanning of internet facing services, and weekly (Maturity 2 & 3) or fortnightly scans (Maturity 1) for other workstations and servers.
Upgrade Legacy Operating Systems
Finally Replace Operating systems that are no longer supported by the vendor (Maturity 1) and run the latest operating system or the previous release (Maturity 3) for servers (e.g. Server 2022, Server 2019, workstations (e.g. Windows 11, Windows 10) and network devices (e.g. FortiOS 7.0.X, FortiOS, 6.4.X). The simplest way to look at this, would be last 2 Major, last 2 minor releases at the time of writing:
- Windows Server 2022 20H2, Server 2019 20H2, Server 2019 2004
- Windows 11 21H2, Windows 10 21H2, Windows 10 21H1
- FortiOS, that would be 7.0.3, 7.0.2, 6.4.8 and 6.4.7.
References
https://docs.microsoft.com/en-us/windows/release-health/windows-server-release-info
https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm
https://calibreone.com.au/wp-content/uploads/2021/02/Specific-Service-Terms-NGFW-Service.pdf
