Kyle Fox's Security News 2023 in Review - F5 SIRT
I learnt the hard way in 2004, during Sasser worm attack, that it is very important to install security patches as soon as possible.
Some Windows computers in the LAN were unpatched but had up to date antivirus, so they are not infected.
However, these computers were still force restarted by virus attack from already-infected computers.
They have to be patched to be completely immune.
Most cybersecurity attacks (wannacry, shell shock, etc.) are based on security bugs which black hackers learnt from patch release notes.
That's why the best defense is installing security patches as soon as possible because black hackers can create the attack tools in just few days.
Moreover, these patches are by default automatically installed by operating systems scheduler for NO EXTRA COST.
Redhat indeed requires subscription for patch access.
So, if you don't want to pay for enterprise Linux, you can use RHEL derivatives (Oracle Linux, Rocky, etc), Amazon AMI, etc.
How to get latest security patches without worry of bugs from new features for Microsoft products?
a. Microsoft Windows: defer Feature Updates for a year. This won't block latest security updates.
b. Microsoft Office: set update channel to Semi Annual Enterprise
c. Microsoft Onedrive/Sharepoint: set update channel to Deferred