Introduction
With the pace of technology accelerating, staying on top of security vulnerabilities is crucial for organisations of all sizes. Security updates are released on a regular basis, aimed at reducing risk and closing system weaknesses. Cyber criminals are constantly looking to exploit weaknesses for nefarious gain, so a holistic approach to applying security patches is key. Having confidence that an organisation is protected against the threats of using outdated software can be a game-changer. It can also result in an organisation experiencing security incidents and data breaches. In this article, we delve into how security patching can be overlooked, system weaknesses can be hidden (despite regularly applying security updates), explain why action is essential and link it to the importance of Cyber Essentials Plus testing.
Cyber Essentials Plus Testing
Cyber Essentials Plus actively tests devices to determine whether an attacker can hack into them. This certification also checks to determine whether weaknesses exist. Qualified assessors use (specially designed) tools to carry out the testing, to identify and highlight any associated security weaknesses. Finding can be extremely valuable to an organisation, an opportunity to identify and fix system weaknesses before they can be exploited by threat actors.
Missing Security Patches
Outdated software and/or insecure operating systems with known vulnerabilities. ‘Windows Updates’ may be up to date, however, applications can have missing security updates, resulting in critical and high-risk vulnerabilities.
What An Attacker Can Do
Attackers can exploit known vulnerabilities, gain unauthorised access to systems, execute malicious code and spread malicious software across the network. Attacks can focus on operating systems, applications and services.
Potential Impact
If security updates are not applied. attackers can gain full control of your systems, potentially allowing them to access programs, view, change, steal, or delete data, and create new accounts.
Why It Matters
Cyber threats can lead to devastating consequences, including data breaches, financial loss, and reputational damage. Addressing vulnerabilities is not just about compliance; it’s about safeguarding a business’s future and protecting information.
Severity
Missing patches can have CRITICAL and HIGH severity rankings.
Examples identified through Cyber Essentials Plus testing include:
- Microsoft 3D Viewer software
- Microsoft Paint 3D
- Zoom application
- Internet browsers
- Email clients
- Office applications
Fix
Missing patches can be addressed through an update of the operating system, software, and removal of unused applications and services
Fix Options
- Manual and/or automated processes to address missing patches
- Software solutions and device management tools
Warning – Before Making Changes
Before making changes, it’s recommended to test in a non-production environment, then roll-out into a production environment, creating appropriate backups (in case of any need to revert).
Manual Process – Using Microsoft Store
- Open the ‘Microsoft Store’ app
- Click ‘Downloads’
- Uninstall any unused applications
- Check and apply updates for applications in use
Manual Process – Using Windows Update
- Open ‘Windows Update’
- Click ‘Check for Updates’
- ‘Download and install’ missing updates
- Select ‘Get the latest updates as soon as their available’
- Also, check ‘Advanced Options’ / ‘Optional Updates’ and apply updates where appropriate
Process – Updating Microsoft 365 (Locally Installed) Applications
- Open an Office application, such as Microsoft Word
- Go to ‘Account’, ‘Update Options’ and ‘Update Now’
- Check ‘Updates are automatically downloaded and installed’
Process – Updating Zoom
- Open the Zoom application / sign in
- Click the profile icon in the top right corner and ‘Check for Updates’
Software Solutions and Device Management Tools
- You can set up automated solutions using software tools and agents
- These tools can apply updates automatically and regularly report on system vulnerabilities
- Different solutions offer varying features and performance, which affect both cost and effort
- Many organisations use Microsoft InTune to automate device management
- Microsoft Vulnerability Manager detects and reports on system weaknesses through a software agent
Checking the Fix
- Repeat the above steps to check/determine whether the latest updates are applied or remove unused applications
- Leverage software solutions for automation where possible
- Use a vulnerability management agent and/or credentialed scan to confirm remediation
How We Help
At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:
- As an NCSC Cyber Advisor, we help organisations understand and implement essential technical controls.
- Our Vulnerability Assessment Plus certification reflects our ability to identify weaknesses, risk-rank findings, and provide clear remediation advice to support swift action.
- We hold IASME Cyber Essentials Plus Assessor certification, enabling us to assess organisations and guide them on applying necessary fixes.
- As a Cyber Essentials Plus Certification Body, we’re trusted to issue certificates to organisations that meet the required standards.
Conclusion
Having a regular process for checking and applying security updates is crucial for organisations of all sizes. It links to the reduction of risk, prevention of security breaches and supports information security. Apply patches ranked as high or critical risk within 14 days of release to comply with the Cyber Essentials scheme. You can use manual processes to keep systems updated. Software tools and services are also available to help organisations track, report, and apply updates through automated processes. The testing done for Cyber Essentials Plus helps identify missing patches. Uninstall unused applications. Apply updates on time. Keep a mindset of continual improvement.
If you would like assistance for Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.
