The Essential Eight should be the foundation of your cyber security – necessary but not sufficient for a strong defensive posture. The first strategy in the group, ‘Patch applications’, focuses on keeping software up to date.
Here’s what you, an SMB leader, need to know if you’ve asked your IT provider to implement it.
This article is part of a series on implementing the Essential Eight to Maturity Level 1. Read other articles in the series here.
Automated Asset Discovery
Control: An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
Your IT environment isn’t just the computers your staff work at. It’s a combination of hardware and software that includes networking gear, endpoints like laptops, servers, and even IoT devices.
Finding out exactly what assets you have can be a challenge. A typical SMB environment likely comprises hundreds – and that number can fluctuate quickly as your headcount and infrastructure change. Manual discovery is almost impossible, which is exactly why Maturity Level 1 specifies ‘automated method’. You need a tool that does the hard work for you.
Your IT provider will use a program like Lansweeper to find any asset connected to your network. That includes things like containers and virtual machines sitting in your cloud infrastructure. (And, if you’ve never heard of ‘containers’ or ‘VMs’ before, you probably don’t need to worry.) All those assets will show up in a dedicated inventory – which can then be scanned for vulnerabilities.
Make sure your IT provider uses an asset discovery program that can scan your whole network, not just parts of it. For example, some programs will only ‘see’ endpoints that have that program installed on it – they can’t find other network-connected devices (like smart fridges, for example).
Vulnerability Scanning
Controls:
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
Discovering your assets is the first step. The next: regularly checking them for vulnerabilities.
A vulnerability is anything that an adversary can exploit to disrupt or access your environment. Think of it like a window that someone can slide open in an otherwise locked house. In the context of Maturity Level 1, those weaknesses are normally the result of bad code in an app you use – which then needs to be corrected with a ‘patch’ (a download that fixes the bad code).
Vulnerability scanners work by checking your asset inventory against a database of known vulnerabilities (normally either CVE or, in Europe, EUVD). If a vulnerability emerges that matches the version and patch level of an asset in your inventory, the scanner will flag it.
Your IT provider can then prioritise the resulting vulnerabilities based on their severity score (CVSS) and exploit status (whether the vulnerability has actually been used in real-world attacks). Keep in mind that, if you’ve never scanned your assets before, the list of weaknesses will probably be long. Successfully remediating them all may take weeks – especially if you’re dealing with legacy applications.
Patching and Updating
Controls:
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 2 weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 2 weeks of release.
Once you have a vulnerability scanner in place, meeting the Maturity Level 1 controls is easy – in theory. Your IT provider will have a clear list of weaknesses, prioritised by CVSS and exploit status. All they need to do is monitor their scanner for new patch or version releases, then roll out those updates via Microsoft Intune (or, better, an RMM like NinjaOne).
‘In theory’ is the operative phrase, though. If your team uses laptops, patches will need to be rolled out during working hours – which, with the 48-hour window for critical vulnerabilities and known exploits, can be tricky. The best thing you can do to help is communicate the criticality of the patch to all staff, and make sure they follow any directives from your IT provider.
Patches should also be deployed in rings. Start with a test environment, then move to a small group of assets, then the broader organisation. Updates can sometimes cause problems themselves – so testing the waters first is best practice.
Unsupported Product Removal
Controls:
Online services that are no longer supported by vendors are removed.
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
An asset becomes unsupported when its developers stop providing updates and patches. Over time, that asset will become less and less usable, often conflicting with other, more modern software.
Internet Explorer is one of the most obvious examples. Microsoft stop supporting in 2022, and its lack of modern security features means it’s regularly targeted by threat actors. (Removing IE is actually a requirement for a separate Essential Eight control under the ‘User Application Hardening’ strategy.)
There’s almost never a good reason to keep internet-connected legacy software around. Switching to a newer version or removing the app entirely are both ways you can comply with Maturity Level 1.
If you think your organisation might be one of the very rare exceptions to the rule, talk to your IT provider about compensating controls. The Essential Eight assessment process does have scope for formal exceptions, particularly if the main objective of the control has still been accomplished (such as isolating legacy CNC software on a non-internet-connected endpoint).
Need help reaching Essential Eight Maturity Level 1? We help Australian SMBs strengthen their security postures – without affecting business productivity.
