So you’ve decided to start a quarterly or bi-annual patch program, you may find yourself thinking: “Do I really need to patch *everything*? What are the highest priority patches that I need to apply for the best risk reduction?”
The good news is that a lot of ICS vendors are stepping up their game on patching. Vendors like OSISoft are testing Microsoft patches on certain Tuesdays to ensure compatibility with their software, and publishing lists of approved patches after running a full suite tests with the OS updates.
Still, applying every last little patch for a system is time-consuming, nerve-wracking, and patches still carry risks. The best bet is to go after the hardest-hitting patches: the patches that are likely to be used by automated attacks and perhaps even by individual attackers. I’ll be showing how to automate this process with Nessus in my upcoming course at the EnergySec conference.