early background and server versions of Windows suffered from design flaws, memory leaks, and inadequate drivers that would require a boot on a frequent basis. end users would implement tools to mechanically schedule the bicycle of services, boot hosts, and even tasks to flush impermanent files—just to keep the arrangement operating for deoxyadenosine monophosphate long as possible before a boot. This may sound completely foreign to newer administrators ( good like using a pay earphone might be to Gen Z ), but Windows was not constantly as robust and arsenic batten as it is today .
The early days of distribute calculation required all sorts of tools and workarounds to maintain handiness. fortunately, times have changed, but periodic reboots are still required and the longer you wait, the higher your cyber risk exposure .
Microsoft Has Been Consistent in Releasing Security Patches—You Should Be Consistent in Applying Them
To understand the problem, let ’ s review some of the samara risks. The unofficial term for Microsoft ’ s plot schedule is called Patch Tuesday. Starting back in October 2003 ( yes 15 years ago ), Microsoft has scheduled mend releases on the second Tuesday of each calendar month. Barring exceptions for zero-day patches and Security Essential updates like Defender, the free schedule provides a predictable method for information technology and security teams to assess for vulnerabilities and missing security patches, and to apply patches, which, many times, require a boot.
Based on shape management, downtime due to a boot, potential incompatibilities, and change control requirements within an arrangement, these patches could be delayed for weeks or months to avoid incompatibilities and a boot. This is the obvious hazard. The longer it takes to apply these patches and boot, the higher the gamble of potential exploitation. Applying the patches alone and not rebooting ( in most cases ) does not protect the master of ceremonies and could lead to early attack vectors ascribable to a electric potential incomplete state of matter of redress .
vitamin a childlike as it sounds, patches from Microsoft should be applied shortly after the Patch Tuesday passing. If an organization waits more than 30 days for critical vulnerabilities, they risk being out of submission for regulations like PCI DSS. While security system professionals may argue that most devices are not in PCI DSS scope, and not subject to the 30 day rule, I would encourage them to reconsider their security system policies. Attack vectors against critical resources likely do not occur directly against critical infrastructure any long. modern attacks typically leverage unpatched endpoints, poor privileged access management practices, and shape mistakes, which allow a terror actor to gain a bridgehead and progress laterally to extract sensitive data via an end point .
Since 2003, the motivations of menace actors have largely evolved. 10-15 years ago and beyond, script kiddies and early attackers possessed more of a mischievous bend, looking to cause cyber disruptions for bragging rights. today, more common motives include monetizing information, hacktivism ( hacking for a cause—such as to embarrass a aim ), or state-sponsored cyber war to impair a target ’ randomness infrastructure and economy, or to destabilize it politically .
Microsoft has remained reproducible in releasing security updates approximately every 30 days. The longer the imprison clock time before an organization applies the patches, the greater the windowpane of cyber risk. I encourage organizations to plan for Microsoft Windows reboots every 30 days as a separate of their change management practices. And most importantly, apply the patches before the scheduled reboots on desktops, servers, and even in the swarm. This does not necessarily mean to apply the updates equally soon as they come out. While immediately applying updates provides the best auspices, it besides presents a sharpen risk for incompatibilities—which may not be a good tradeoff. With this in mind, strive to apply the patches on a monthly scheduled basis—even if takes a calendar month or two to test for incompatibilities from previous releases .
The simplest recommendation from this blog is, as the title states—reboot your Windows machines every 30 days and apply the latest business approved patches before each boot to ensure the lowest risks from vulnerabilities and potential exploitation. The longer you delay, the the higher the likelihood of an undesirable security consequence.
Read more: Apollo for Reddit
BeyondTrust Makes Vulnerability Management Seamless
At BeyondTrust, we can help simplify and optimize the vulnerability management lifecycle—from vulnerability assessment, to vulnerability scan, to risk prioritization, to redress and beyond. Our Enterprise Vulnerability Management solution can assess for missing patches using a network scanner or agent-based engineering. Its alone integration into SCCM and WSUS allows for automated temporary hookup deployments to Windows hosts based on its findings and the scheduling of deployments and reboots to maintain submission and understate gamble. This can streamline the process of rebooting Windows every 30 days and make the task effective, effective, and standard clientele practice for your organization besides .
Get a show of BeyondTrust Vulnerability Management .
How to Use Vulnerability Assessment to Quantify & Reduce Cyber Risk ( web log )
The Forrester Wave™ : vulnerability Risk Management, 2018 ( analyst research report )
Change the Game in Vulnerability Management ( white paper )