This type of joint-advisory has become all too familiar – the cyber security community again urging organisations to mitigate known, and avoidable, security weaknesses and vulnerabilities. The recent release from NCSC, ACSC and their counterparts details a number of frequently exploited attacks and identifies their originating source – foreign commercial entities.
Organisations, particularly those in critical industries, are urged to hunt out and fix these known vulnerabilities before they impact user networks. It’s all too familiar.
The more things change …
What makes this release stand out is its directness:
“The advisory describes how the threat actors have had considerable success taking advantage of known common vulnerabilities rather than relying on bespoke malware or zero-day vulnerabilities to carry out their activities, meaning attacks via these vectors could have been avoided with timely patching.”
In short: Apparently, even when advised to do so, organisations are not keeping pace with software vulnerabilities.
Why is patching so hard?
The recommendations aren’t new either, known vulnerabilities should not remain unpatched. The problem is less about not knowing what to do, and more about keeping continuously vigilant for known threats and their mitigation. The advisory provides extensive hunting and mitigation advice.
1. Good management
A policy framework is a crucial starting point: define patching timeframes, assign responsibilities, and establish exception processes.
Equally important is maintaining an up-to-date inventory of assets, systems and software builds. This becomes more challenging when it extends to connected devices outside IT’s direct control. Manual tracking may need to be replaced by automated tools with their inventory of known vulnerabilities cross-referenced with a clear understanding of system criticality.
2. Automation of testing and roll-out
In medium to large environments, the sheer number of solutions, applications and operating systems can make manual patching impractical. With more than 40,000 CVEs published in 2024 leaving it to end-users, and maybe a chance discovery, is not an option.
Centralised patch management, vulnerability tracking and asset identification are key to resolving unpatched vulnerabilities. Wherever possible, automatic download and installation of patches is vital to ensure a systematic and timely process. A system reboot after a patch installation might be inconvenient, but it’s far less costly than recovering from a breach or ransomware attack. The less reliance on human intervention, the better.
3. Legacy systems and exceptions
Not all systems can be patched easily. Older software, business-critical platforms or those that can’t tolerate downtime present unique issues.
You can’t patch a medical device mid-procedure, but leaving it unprotected isn’t an option either. Risk mitigation strategies for systems that can’t be patched are just as important as fixing the vulnerabilities you can address.
4. Auditing and reporting
Threat visibility matters. Tracking patch progress, verifying rollouts, and reporting on coverage provides assurance to stakeholders and exposes security gaps ahead of an adversary.
Manual auditing is no more effective than manual patching. Automated reporting and independent verification tools are critical in informing effective mitigation, ideally with a broader contextual perspective than simply the patching systems themselves.
The answer
The challenges of patch management are real, but solutions exist; and effectively hunting vulnerabilities is key to maintaining your cyber posture.
Huntsman’s Auditor and Scorecard for the Essential Eight community, and SmartCheck for all other enterprises, make verifying patch processes and spotting gaps quick and straightforward.
Products
Solutions
Learning & Resources
About Huntsman
