Cyber Essentials Section 5 - Patch Management

The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats.  The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk.  The five key components are:

1. Firewalls and Boundary Devices
2. Secure Configurations
3. Access Control
4. Malware Protection
5. Patch Management

Tenable has released a series of dashboards, that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

The focus of this dashboard is Section 5 - Patch Management.  Organisations which comply with Section 5 ensure they are actively fixing vulnerabilities before attackers can exploit them, reducing risk, and demonstrating responsible security practices. In addition to reducing risk, compliance demonstrates that organisations take security seriously,  improving  trust with customers, partners, and regulators. 

This key component applies to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices.  Some items to focus on within this key component are:

• Reducing exploitable weaknesses
• Keeping devices and software secure
• Limiting the window of risk (enforcing timely updates)

Components

• Outstanding Remediations - Time Since Patch Publication (Assets) - The Outstanding Remediations - Time Since Patch Publication (Assets) component displays the total count of missing patches across the environment. 

• Application Patch Risk Summary - The Application Patch Risk Comparison component provides a detailed analysis of application vulnerabilities by comparing patch availability and release timelines between 'Most Targeted Apps' and 'Other Apps.' 

• Unsupported Product Summary - Unsupported Applications - The Unsupported Product Summary table displays all unsupported applications by name, sorted by count. 

• Unsupported Product Summary - Operating Systems - This indicator matrix reports on operating systems that are no longer supported.  

• Top 50 Missing MS Security Patches - This component displays the top 50 most common missing Microsoft security patches. 

• InfoSec Team - One-Stop-Shop Comprehensive Attack Surface - Mitigation SLAs - This matrix assists with InfoSec teams map mitigation progress and presents data to determine if organizational SLAs are being met.