Part 2 of our comprehensive Essential Eight cybersecurity series for Australian businesses.
The Patching Imperative
In our [previous article](/blog/essential-eight-application-control), we explored Application Control—ensuring only authorized software runs in your environment. But even approved applications can become dangerous when they contain known vulnerabilities.
Patch Applications is the second Essential Eight strategy, and for good reason: unpatched software is one of the most exploited attack vectors in cybersecurity today.
According to the Australian Cyber Security Centre (ACSC), many successful cyber attacks exploit vulnerabilities for which patches have been available for months or even years. The message is clear—patching isn't optional.
Understanding the Vulnerability Lifecycle
When a software vulnerability is discovered, a race begins:
- 1.Discovery: A vulnerability is identified (by researchers, vendors, or attackers)
- 2.Disclosure: The vendor is notified and begins developing a fix
- 3.Patch Release: The vendor releases an update addressing the vulnerability
- 4.Exploitation Window: Attackers actively target unpatched systems
- 5.Remediation: Organizations apply the patch, closing the vulnerability
The time between patch release and application is your vulnerability window—and it's when your organization is most at risk. Every day a patch remains unapplied is another day attackers can exploit the vulnerability.
Why Application Patching Matters
The Numbers Don't Lie
- ▸60% of breaches involve unpatched vulnerabilities
- ▸43 days is the average time to patch critical vulnerabilities in Australian organizations
- ▸24-48 hours is the typical time for attackers to weaponize a disclosed vulnerability
- ▸85% of successful attacks use known vulnerabilities with available patches
High-Profile Examples
Recent attacks targeting Australian organizations have exploited unpatched applications:
- ▸Microsoft Exchange Server vulnerabilities enabled widespread email breaches
- ▸Log4j affected countless Java-based applications across all industries
- ▸Citrix Gateway vulnerabilities provided entry points for ransomware operators
- ▸Fortinet VPN flaws exposed remote access infrastructure
What Applications Need Patching?
The Essential Eight specifically targets high-risk applications—those most commonly exploited by attackers:
Priority 1: Internet-Facing Applications
- ▸Web browsers: Chrome, Firefox, Edge, Safari
- ▸Email clients: Outlook, Thunderbird
- ▸PDF readers: Adobe Acrobat, Foxit Reader
- ▸Web servers: IIS, Apache, Nginx
- ▸VPN solutions: Cisco AnyConnect, FortiClient, GlobalProtect
Priority 2: Office Productivity
- ▸Microsoft Office Suite: Word, Excel, PowerPoint, Outlook
- ▸Alternative suites: LibreOffice, Google Workspace desktop apps
- ▸Collaboration tools: Teams, Slack, Zoom
Priority 3: Development & Infrastructure
- ▸Java Runtime Environment (JRE)
- ▸Programming frameworks: .NET, Python, Node.js
- ▸Database software: SQL Server, Oracle, MySQL, PostgreSQL
- ▸Middleware: Application servers, message queues
Priority 4: Security Software
- ▸Antivirus/EDR solutions
- ▸Firewalls and security appliances
- ▸Identity management systems
- ▸Backup and recovery software
Maturity Levels for Patch Applications
Maturity Level One: Foundation
- ▸Patch internet-facing applications within one month of release
- ▸Patch other high-risk applications within one month
- ▸Use vendor-supported application versions
- ▸Remove or isolate applications that can no longer be patched
- 1.Inventory all applications in your environment
- 2.Identify internet-facing and high-risk applications
- 3.Subscribe to vendor security advisories
- 4.Establish a basic patching schedule
Maturity Level Two: Enhanced
- ▸Patch internet-facing applications within two weeks of release
- ▸Patch other high-risk applications within one month
- ▸Automated vulnerability scanning
- ▸Formal patch testing procedures
- 1.Deploy vulnerability scanning tools
- 2.Implement a patch testing environment
- 3.Automate patch deployment where possible
- 4.Track patching metrics and compliance
Maturity Level Three: Advanced
- ▸Patch internet-facing applications within 48 hours for critical vulnerabilities
- ▸Patch other high-risk applications within two weeks
- ▸Continuous vulnerability assessment
- ▸Risk-based prioritization and accelerated patching for exploited vulnerabilities
- 1.Implement continuous vulnerability monitoring
- 2.Integrate threat intelligence for exploitation awareness
- 3.Establish emergency patching procedures
- 4.Automate end-to-end patch lifecycle management
Building an Effective Patching Strategy
Step 1: Comprehensive Application Inventory
You can't patch what you don't know about. Build and maintain a complete inventory of all applications in your environment.
- ▸Application name and vendor
- ▸Current version installed
- ▸Installation locations (which systems)
- ▸Business owner/responsibility
- ▸Criticality rating
- ▸End-of-support dates
- ▸Microsoft Endpoint Configuration Manager (MECM/SCCM)
- ▸ManageEngine Desktop Central
- ▸PDQ Inventory
- ▸Qualys Asset Inventory
Step 2: Vulnerability Intelligence
Stay informed about new vulnerabilities and available patches.
- ▸ACSC Alerts: [cyber.gov.au](https://cyber.gov.au)
- ▸CVE Database: [cve.mitre.org](https://cve.mitre.org)
- ▸Vendor Security Bulletins: Subscribe to advisories from all software vendors
- ▸Security News: Reputable cybersecurity news sources
- ▸CVSS score (severity rating)
- ▸Known active exploitation in the wild
- ▸Exposure of affected systems (internet-facing vs internal)
- ▸Business criticality of affected applications
Step 3: Testing and Validation
Patches can occasionally cause compatibility issues. A testing process reduces risk.
- 1.Lab Testing: Apply patches to non-production systems first
- 2.Pilot Group: Roll out to a small group of production users
- 3.Staged Deployment: Gradually expand to all systems
- 4.Rollback Plan: Always have a way to revert if issues occur
Balancing Speed and Safety:
For critical vulnerabilities with active exploitation, you may need to accept higher risk of compatibility issues in exchange for faster remediation. Document this risk acceptance.
Step 4: Deployment Automation
Manual patching doesn't scale. Automate wherever possible.
- ▸Windows: WSUS, Intune, MECM, third-party solutions
- ▸macOS: Jamf Pro, Kandji, Mosyle
- ▸Linux: Ansible, Puppet, Chef, native package managers
- ▸Cross-Platform: Automox, ManageEngine, NinjaOne
- ▸Schedule patches during maintenance windows
- ▸Stagger deployments to limit blast radius
- ▸Configure automatic reboots where appropriate
- ▸Monitor deployment success/failure rates
Step 5: Verification and Reporting
Confirm patches are successfully applied and maintain compliance visibility.
- ▸Post-deployment vulnerability scans
- ▸Version checks via management tools
- ▸Compliance dashboards and reports
- ▸Audit trails for regulatory requirements
- ▸Patch compliance rate (% of systems patched)
- ▸Mean time to patch (MTTP)
- ▸Open vulnerability count and age
- ▸Failed patch deployments
- ▸Exception/waiver tracking
Handling Difficult Patching Scenarios
Legacy Applications
Some applications can't be patched because they're end-of-life or the vendor no longer exists.
- ▸Isolate legacy systems on separate network segments
- ▸Implement additional compensating controls (firewalls, monitoring)
- ▸Plan migration to supported alternatives
- ▸Document risk acceptance with business stakeholders
Business-Critical Systems
Some systems can't tolerate downtime for patching.
- ▸High-availability architectures allowing rolling updates
- ▸Scheduled maintenance windows during low-usage periods
- ▸Virtualization with snapshot/rollback capabilities
- ▸Containerization for rapid deployment and rollback
Third-Party Vendor Delays
Sometimes vendors are slow to release patches.
- ▸Document vendor communication and timelines
- ▸Implement temporary mitigations (workarounds, additional controls)
- ▸Evaluate alternative products with better security practices
- ▸Report to ACSC if critical infrastructure is affected
Common Patching Pitfalls
❌ "We'll get to it later"
Procrastination is dangerous. Attackers don't wait.
❌ Incomplete Coverage
Focusing only on operating systems while neglecting applications leaves major gaps.
❌ No Testing
Pushing patches straight to production risks outages and user impact.
❌ Manual Processes
Manual patching can't keep pace with modern vulnerability disclosure rates.
❌ No Visibility
If you don't measure patching compliance, you can't manage it.
Integration with Other Essential Eight Strategies
Patch Applications works hand-in-hand with other controls:
- ▸Application Control: Only approved applications need patching—reduces scope
- ▸Configure Microsoft Office: Patched Office reduces macro-based attack risks
- ▸Patch Operating Systems: Complete patching covers both applications and OS
- ▸User Application Hardening: Hardened applications are more resilient even when unpatched
The Cost of Not Patching
Consider the true cost of leaving vulnerabilities unaddressed:
| Cost Factor | Potential Impact |
|---|---|
| Data Breach | $4.35M average cost (IBM 2023) |
| Ransomware | Ransom + downtime + recovery |
| Regulatory Fines | OAIC penalties up to $50M |
| Reputation Damage | Customer trust, brand value |
| Legal Liability | Class actions, contractual breaches |
Compare this to the cost of a well-managed patching program—the ROI is clear.
Next Steps
Patch Applications is essential, but it's just one layer of defense. In our next Essential Eight article, we'll explore Configure Microsoft Office Macro Settings—preventing one of the most common malware delivery mechanisms.
Need help establishing a robust patching program? Cloudscape IT provides comprehensive vulnerability and patch management services tailored for Australian businesses. Contact us for a vulnerability assessment and patching strategy consultation.
---
This article is part of our Essential Eight cybersecurity series. Continue reading to learn about Configure Microsoft Office Macro Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication, and Regular Backups.
