Essential 8 - Patching operating systems.
Once a patch for a vulnerability is released by a vendor, it should be applied in a timeframe commensurate with an organisation’s exposure to the vulnerability.
For example, once a vulnerability in an online service is made public, it can be expected that malicious code will be developed by malicious actors within 48 hours, sometimes within 24 hours.
Essential 8 Maturity Level 2 Controls and our Solution.
| An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |  |
| A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | |
| A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices. | |
| A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices. |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |  |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. |  |
| Operating systems that are no longer supported by vendors are replaced. |
Maturity Level 2 for Mission Critical and Legacy systems.
Agencies struggle to maintain Essential 8 ML 2 controls for applying critical patches within 48 hours, especially for Mission Critical and Legacy systems.
Virtual Patching blocks specific exploits via the WAF, enabling immediate protection against vulnerabilities for public facing services.