fbpx
Share

ASD Essential Eight Explained – Part 2: Patching Applications

The Essential Eight

The Australian Signals Directorate (ASD) Essential Eight has received considerable attention since it included an additional four strategies to the previously defined ‘Top 4 Strategies to Mitigate Cybersecurity Incidents’. Logan Daley continues the ASD Essential Eight Explained series below.


Patching Applications

What is it?

In a nutshell, applications are designed to perform a specific task but often don’t account for potential flaws and vulnerabilities. Unless it’s actually a security-centric application, security is lower on the features list, that’s if it makes the list at all. In some cases, applications are released with undocumented capabilities, features enabled are not being used, or use non-standard ports and services. In all fairness, if we tried to QA the apps to perfection, we’d never actually get anything to market!

Over time, the capabilities, features, and other bugbears come to the surface and are fixed by the vendor or, in other cases, discovered and exploited by those that don’t share my sunny disposition.

Where do I start?

As is the case with Application Whitelisting, a current inventory of applications is a must-have. We need to know what is on our network and why. Odds are the vendors of those applications have released patches and updates to address these issues, add features, and improve performance. Once we know what applications we have, we can investigate whether or not we have the latest stable releases and patches. In some cases, vendors are very proactive and notify their clients, supplying the patches at no charge during the lifetime of the application. Some charge extra for this service, but some just make them available without letting you know. In the end, patches and updates should be available.

Any pitfalls?

Without a doubt, Shadow IT can bite hard here. If you focus only on the “known” and approved applications, you may overlook the one-off applications downloaded to perform some task not officially sanctioned by the company. Even these one-off systems should be updated (or preferably removed until their existence can be justified and approved). In larger enterprises, patching applications can become all-consuming as it seems there are updates every day. A solid change-management process to test, schedule and deploy updates and patches on a prioritised basis is a must-have.

The ghost in the machine?

We are fooling ourselves if we think we can secure every application perfectly; risk will always remain. The key is to reduce the risk inherent in using applications to an acceptable level. Where the possibility to interact with an application exists, so does the ability to exploit the same. Technology was created by humans so human error is innate.

How do I make it work?

Once you have a current inventory of your applications and a reliable change management process in place, it’s time to begin (or at least keep going) with patching your systems to the current stable releases. Remove or replace any unsupported applications and make sure they’re included in your application whitelisting solution. Create a list, subscribe to alerts, or at the very least ask your vendors to notify you of updates and patches so you can include them in your regular scheduled maintenance. When it comes to emergency or urgent patches, treat them as a priority. Recent incidents with WannaCry and Petya/NotPetya  should have highlighted this.

Am I missing anything?

While this approach seems to consider the current state, make sure to include any new applications as soon as they hit production. Even the latest and greatest systems will be updated at some point. Also, don’t overlook the software and firmware that run on your network appliances, physical and virtual. The programs that run your routers, switches, firewalls, load balancers and so on are still applications.

How do I start?

Take a deep breath and realise this isn’t going to happen overnight. Get the right people involved and don’t hesitate to put your hand up if you need some help. Begin with your current application inventory and if you’ve recently undertaken an Application Whitelisting project, you should already have that. Prioritise your applications and make sure you have the latest stable version of each. If you are a few versions behind, acquire, test, and deploy the patches using your change management process. Rinse and repeat!

Read more from the ASD Essential Eight Explained series.

Go to: Part 1: Application Whitelisting


Tags: ACSC Essential Eight, Cybersecurity, Network Security, Patching Applications

Featured

Related

Meraki smart spaces
Smart Spaces: Changing Work for the Better

There’s a certain strangeness to heading back into the workplace after a lengthy spell working from home during lockdowns. Workers…

How endpoint modernisation helps IT work smarter, not harder.

Working smarter, not harder is all about better utilising your time so you can devote your energy to the important stuff. It’s about…

Customer Story: ElectraNet

ElectraNet cuts costs and increases visibility with technology intelligence solution Download Customer Story…

Customer Story: Victoria State Emergency Services

Decommissioning Legacy Server Environment Cuts Risk for Victoria State Emergency Service Download Customer Story…

Data#3 named Veeam Pro Partner of the Year 2021
Data#3 named A/NZ Veeam Pro Partner of the Year

Source Publication: ARN Australia (Click to view on source website) Veeam has revealed its Australia and New Zealand (A/NZ)…

Webinar: Behind every breach is a known flaw
Behind every breach is a known flaw

Data#3 and Tenable are pleased to present: Behind every breach is a known flaw. With…

Customer Story: SeaRoad Holdings

SeaRoad Holdings chart a digital transformation course with HPE GreenLake Download Customer Story…

Print is back! Design, transition, and manage your schools print fleet with Data#3 and HP

The printer – and close cousin, the photocopier – have been a school staple for decades. While some argue that…