Part 6 of our comprehensive Essential Eight cybersecurity series for Australian businesses.
The Operating System: Your Security Foundation
While patching applications (covered in Part 2) addresses software that runs on your systems, patching operating systems addresses the foundation itself. Vulnerabilities in Windows, macOS, or Linux can provide attackers with deep access to compromise systems at the most fundamental level.
Why Operating System Patching is Critical
Kernel-Level Access
OS vulnerabilities often provide kernel-level access—the highest privilege level. This allows attackers to:
- ▸Bypass all security controls
- ▸Hide malicious activity from security tools
- ▸Persist through reboots
- ▸Access all data on the system
Wide Attack Surface
Operating systems are complex. Windows 10/11 contains over 50 million lines of code. This complexity means vulnerabilities are constantly discovered.
Remote Exploitation
Many OS vulnerabilities can be exploited remotely, allowing attackers to compromise systems without any user interaction.
Patching Timelines
The ACSC specifies patching timeframes based on maturity level:
Maturity Level One
- ▸Patch internet-facing systems within one month
- ▸Patch other systems within one month
- ▸Use vendor-supported operating system versions
Maturity Level Two
- ▸Patch internet-facing systems within two weeks
- ▸Patch other systems within one month
- ▸Automated deployment and compliance tracking
Maturity Level Three
- ▸Patch critical vulnerabilities within 48 hours (internet-facing)
- ▸Patch other vulnerabilities within two weeks
- ▸Continuous vulnerability assessment and prioritization
Platform-Specific Considerations
Windows
- ▸Windows Update for Business
- ▸WSUS (Windows Server Update Services)
- ▸Microsoft Endpoint Configuration Manager
- ▸Intune for cloud-managed devices
- ▸Feature updates vs security updates
- ▸Servicing channels (LTSC vs General Availability)
- ▸Driver updates and compatibility
- ▸Reboot scheduling and user experience
macOS
- ▸Jamf Pro or Kandji for enterprise management
- ▸Nudge or similar tools for update prompting
- ▸MDM profiles for update policies
- ▸Major version upgrades vs point releases
- ▸Application compatibility with new OS versions
- ▸User-driven update acceptance
Linux
- ▸Native package managers (apt, yum, dnf, zypper)
- ▸Ansible, Puppet, or Chef for automation
- ▸Landscape (Ubuntu) or Satellite (RHEL) for enterprise
- ▸Distribution-specific update cycles
- ▸Kernel live patching options
- ▸Container host security (Docker, Kubernetes nodes)
End-of-Life Operating Systems
Running unsupported operating systems is a critical risk:
- ▸Windows 7, 8, 8.1
- ▸Windows Server 2012 and earlier
- ▸macOS versions older than three major releases
- ▸Ubuntu LTS versions past support window
- ▸Isolate systems from the network
- ▸Implement additional monitoring
- ▸Document risk acceptance with executives
- ▸Create urgent migration plans
Automation and Orchestration
Manual patching doesn't scale. Implement automation:
- 1.Vulnerability scanning to identify missing patches
- 2.Automated deployment via management tools
- 3.Compliance reporting to track patch status
- 4.Alerting for failed deployments or non-compliant systems
Handling Reboots
Most OS patches require reboots. Plan for this:
- ▸Schedule maintenance windows
- ▸Notify users in advance
- ▸Use phased rollouts to limit impact
- ▸Provide self-service reboot options where appropriate
- ▸Monitor for pending-reboot states
Next Steps
With your operating systems secured, the next layer of protection is identity. Our next article covers Multi-Factor Authentication—ensuring that stolen passwords alone aren't enough.
Need help with OS patch management? Cloudscape IT provides comprehensive patch management services for Australian businesses. Contact us for an assessment.
---
This article is part of our Essential Eight cybersecurity series.
