On the second Tuesday of each month since 2003, Microsoft has released security-related updates to Windows (desktop and server), Office, and related products. Updates and patches aren’t only released on that frequency, sometimes there are ‘Out-Of-Band (OOB)’ updates for actively exploitable vulnerabilities.
Where To Find Updates
Every security update issued by Microsoft is given with a summary published by the Microsoft Security Response Center (MSRC) at approximately the same time the updates are released. Oftentimes you will see the Common Vulnerability and Exposure (CVE) number associated with the security gap, which you can easily search for on Google to find more information.
CVE entries are brief, they don’t include technical data or information about potential impacts or the fixes themselves. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and additional lists controlled by the vendor in question or other cybersecurity organizations. Across these different systems, CVE IDs give users a reliable way to understand unique security flaws in a repeatable fashion.
A related standard for ranking the criticality of a CVE is found in the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are listed in CVE, NVD, and CERT advisories. Scores range from 0.0 to 10.0, with higher numbers representing a higher degree of severity of the vulnerability. Many security vendors have created their own scoring systems, as well. Below is the official rating system published by Microsoft:
| Rating | Description |
|---|---|
|
Critical |
A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Microsoft recommends that customers apply Critical updates immediately.
|
|
Important |
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt's provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
Microsoft recommends that customers apply Important updates at the earliest opportunity.
|
|
Moderate |
Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations.
Microsoft recommends that customers consider applying the security update. |
|
Low |
Impact of the vulnerability is comprehensively mitigated by the characteristics of the affected component. Microsoft recommends that customers evaluate whether to apply the security update to the affected systems.
|
What’s The Best Practice Regarding Patch Tuesday?
Every SMB should have a process for handling critical vulnerability alerts in order to quickly assess risk and make important, time-sensitive decisions, about how to react. With a Vulnerability Alert Management Process (VAMP) in place, you can have a clear guide to when to jump and how high to jump for a given vulnerability or exposure.
In order to stay up to date at all times, it’s important to deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary. Most Managed Service Providers leverage one of the big three Remote Monitoring and Management (RMM) solutions (Connectwise, Datto, and Kaseya) for patching their managed systems. These RMM solutions also provide monitoring, and remote access in addition to tested and validated patching services to their clients.
Standalone patch management solutions for companies not using the above-mentioned RMM solutions include ManageEngine and Automox.
SMB PROTECTIONS BEYOND PATCH MANAGEMENT
In addition to adopting a patch management system, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years