Cyber Essentials – The 14 Day Patch Challenge


<< Back to Blogs
13 Mar 2024

Cyber Essentials Technical Controls: Security Update Management

Cyber Essentials (CE) incorporates various technical controls, among which security update management is pivotal. The aim is to:

Objective: Ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Precise Requirements:

  • Ensure all software in scope is:
    • Licensed and supported
    • Removed from devices when unsupported or removed from scope, using a defined subset preventing internet traffic
    • Equipped with automatic updates enabled where feasible
  • Update all software within 14 days of release, particularly if:
    • Fixes vulnerabilities labeled by the vendor as ‘critical’ or ‘high risk’
    • Addresses vulnerabilities with a CVSS v3 base score of 7 or above
    • No vulnerability details provided by the vendor

vRx Functionality:

vRx’s primary function is to offer real-time visibility of vulnerabilities, prioritize risks, and provide mitigation through patching and virtual patching (patchless protection), making it ideal for end-to-end security update management.

  • Visibility provided via agent on managed assets (Windows, Mac & Linux) and supported applications catalog maintained by Vicarius.
  • vRx identifies unsupported applications through xTags and can remove them.
  • Applications can be updated manually or on an automated schedule, ensuring critical and high-severity patches are applied within 14 days.
  • Identification and management of applications with CVEs with a CVSS score of 7 or above, or with no vulnerability details available, are facilitated.
  • Configuration changes required to meet CE / CE+ requirements can be scripted for implementation across managed assets, enhancing secure configuration management.
  • Scripting tool offers flexibility to deploy software and patches for unsupported software through the platform.

Conclusion:

vRx streamlines one of the most challenging aspects of CE / CE+: staying updated with patches and ensuring visibility of compliance.

Free Trial Offer:

Interested in trying Vicarius Patch Management? Email solutions@it-b.co.uk for a hassle-free setup!

---
#cyber-education #cyber-essentials #cybersecurity #patch-management #uncategorised