Timely Patch Management

Don't underestimate the risks of known vulnerabilities. They could have extreme consequences, including, but not limited to, defacement of content, serious brand reputation issues, inclusion of malware and links to malware, ransomware, data breaches, etc.

Example patch time policies:

• Critical: “work stoppage” to <48 hours
• High: 2 days to 2 weeks
• Medium: 30 to 90 days
• Low: 3 to 12 months
• Info: As able

It is understood that patching, on occasion, can have unintended availability side effects. Nevertheless, it is critical to patch and patch as quickly as possible when vendors release updates for known vulnerabilities.

• If your risk profile allows, consider enabling automatic updates where possible. The frequency should be, at minimum, a daily check and install. If pushing automatic updates is deemed to be too risky, create a process that identifies and alerts for new updates on a daily basis.
• Invest in a patch/package/configuration management solution: SCCM+WSUS+SCUP, ManageEngine, Automox, LanGuard, etc.
• Vulnerabilities of a critical nature are recommended to be patched by EOD, or, if that is not practical, ensure other sufficient mitigation(s) are in place, to include taking the vulnerable system offline.
• If a vendor product is up to date, and the software components they rely on in their products are out of date, contact the vendor and determine when they will upgrade their software/firmware dependencies. In the event the vendor is unwilling or unable to upgrade their frameworks without reasonable justification and compensating controls or mitigation, seek alternative vendor solutions.