"Hi, my name is Michael, and I'm a Cyber Security Consultant here at AC3.
In this video, I will be discussing the second mitigation strategy of the ACSC Essential Eight, Patch Applications.
There are two main activities associated with this strategy. The first is patching applications. The second is to implement ongoing, regular vulnerability scans of the organisation’s assets. This helps identify instances where the patch strategy is failing.
No matter the maturity level an organisation has achieved, patches, updates, and vendor mitigations in internet-facing services need to be applied within two weeks of release or 48 hours if an exploit exists, and vulnerability scanners must be used daily to identify missing patches or updates.
It's important to note when considering this strategy that the ACSC regards applications in the following categories as critical.
- Adobe flash
- web browsers
- Microsoft Office
- Oracle Java
- PDF viewers
- and security products.
At Maturity Level One, only critical applications are considered. These must be patched monthly and vulnerability scans completed fortnightly. Critical applications no longer supported by the vendor must be removed from the organisation.
At Maturity Level Two, organisations must patch critical applications within two weeks and complete vulnerability scans weekly for critical applications. All other applications must be scanned fortnightly.
At Maturity Level Three, organisations need to patch vulnerabilities in critical apps within 48 hours if an exploit exists, and any application no longer supported by the vendor must be removed from the organisation.
If you would like guidance on which maturity level is right for your organisation or how effective your current patching application strategy is, please reach out to the team. We'd love to help."
AC3's Essential Eight Security Control Assessment can benchmark your current strategies against the ACSC's Essential Eight maturity models. Find out more here.