Operating System and Firmware Patching
Here is part 5 of the Cyber Essentials blog series: Top 7 things you need to know before you start your assessment – Operating System and Firmware Patching
Today we are going to talk about Operating System and Firmware Patching.
Firmware and OS patching
Let’s start with “What is Patching”
A patch is a small program, or in some cases a major update that is designed to resolve or fix a known issue. They are normally released on a regular schedule, for example
- Microsoft typically release Operating System updates on the second Tuesday of the month.
- Google typically release security updates once a month (depending on your handset manufacturer you may need receive the update or it may be several months out of date when it arrives)
- and Apple release IOS updates, are released every couple of weeks.
Why are they important
Bad guys will regularly review patches and attempt to reverse engineer them, to identify what changes have been made, in a lot of instances they are then able to take advantage of unpatched computers. They will then write programs to specifically target these vulnerabilitites.
This can happen as quickly as several hours to several weeks.
Vulnerabilities are graded based on a scheme known as CVSS, and this is based on a rating of 1 (very low risk) to 10 (very high risk), normally any vulnerabilities over 7 are deemed high risk and need to be applied as promptly as you can (in particular for Cyber Essentials Plus).
Operating system and firmware unpatched systems are responsible for a large percentage of attacks, but comes second to “application updates” – which we are going to cover in the next part in our series.
In most cases operating system updates will happen automatically, or you will receive a prompt to install them. However when it comes to firewalls.routers the process is normally manual.
What about unsupported systems ?
Generally speaking older non-supported versions of systems for example Windows 7 are likely to also suffer from the same vulnerability (not always but it’s more common than you would think), and the bad guys can very easily reverse engineer the patch to identify the underlying vulnerability. This is why it’s very important you only use supported devices across your environment – this is also a requirement for CyberEssentials.
Let’s talk about Cyber Essentials specifically
You will be asked to include details of devices in your Scope – Section 2, and also your process to describe Firmware and OS patching in Section 6 – question A6.4
Currently windows 8.1 and Windows 10 are supported,
Since 2015 when Windows 10 , have been very aggressive with their 6 month version rollout, this has meant that there is increased pressure on you to ensure the Build version of Windows 10 is still under support. Normally you will receive updates via Microsoft’s automatic update process, but sometimes this can fail.
Ensure you confirm your Windows 10 versions and builds are still under support, otherwise this may cause your assessment to fail.
In relation to Server Operating Systems, you need to be running Server 2012 onwards, anything older and you’re going to fail CE..
If you’re not sure –
- search for “Microsoft LifeCycle Policy”
- and click on the blue button named “Search Product LifeCycle”,
- you are looking for the end of Extended Support End Date
unless you have specifically paid for Extended Security Updates – if you have, specifically state this in your scope – but this is quite rare as it’s expensive.
Lucikly this is easier to check in the case of MAC (they support the current version and the two prior editions) with a new version normally released around September each year.
I wanted to also mention specifically mobile devices, as part of your assessment you will need to specify their version, manufacturer and also model.
Apple is generally quite straightforward in that you must be running the latest version.
However Android is a wild west and you may find your assessment fails if you are using an old mobile device – so check with the manufacturer that your handset is still under support.
Let’s share some statistics and data with you regarding patching
- 80% of companies who had a data breach or a failed audit could have prevented it by patching on time or doing configuration updates – Voke Media survey, 2016.
- Upon a breach or failed audit, nearly half of companies (46%) took longer than 10 days to remedy the situation and apply patches, because deploying updates in the entire organization can be difficult – Voke Media survey, 2016.
- 20% of all vulnerabilities caused by unpatched software are classified as High Risk or Critical – Edgescan Stats Report, 2018.
In particular for Cyber Essentials you must have a robust patching policy where high risk or critical patches are deployed within 14 days, this covers all devices in scope namely, firewalls/routers/computers/laptops and mobile devices.