Logo Transparent

The Cyber Essentials security update management controls

Patching

Software is made up of thousands of lines of code. Studies have found that in every 1000 lines of code there is on average 10-15 errors. Most of these errors are unnoticeable to the user, however, each error is a potential vulnerability. When vulnerabilities are discovered, reputable software developers release fixes as software updates to correct the known error, this is known as ‘patching’. Old and ‘unpatched’ software that has not been updated is therefore vulnerable to hackers and cyber criminals.

Cyber Essentials requires that all critical and high risk updates or updates with no details provided must be installed within 14 days of release by the vendor.

    • Some vendors use different terms to describe the severity of vulnerabilities. ‘Critical’ or ‘high risk’ can also be described as a CVSS v3 base score of 7 or above, which uses the Common Vulnerability Scoring System ( CVSS) to provide a numerical representation of the severity of software vulnerabilities.

The easiest and most effective way to ensure that all your software is kept up to date is to turn on automatic updates on each of your devices. This will mean that patches are automatically applied when they are released by the respective vendor.

For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide.

Unsupported, legacy or end of life software

When software is unsupported, the vendor will cease to create and send out patches. The age of software when it becomes unsupported varies significantly between vendor. 

At this point, the software is classed as ‘legacy’ or ‘end of life’ as it is no longer supported and therefore no longer secure to use. Not only are the vulnerabilities left un-patched, but they become public knowledge for security researchers and hackers alike who create programmes and services to make them easy to exploit, even for attackers with low levels of technical expertise.

The Cyber Essentials standard therefore requires that unsupported software is be removed from devices, however, if this isn’t possible, it can be removed from the certification scope by moving it to a well-defined, segregated and separately managed sub-set that prevents all traffic to/from the internet.  
 
 

The Cyber Essentials Controls

How to Start Your Assessment

Schedule a free 30 minute consultation with a KEYSIGMA Cyber Advisor