Patch management provides direct reduction of risk associated with newly discovered vulnerabilities. These core security processes are well known as foundational to any security program, yet lack of effective patch management is still one of the most common issues with environments reviewed by security consultants. While patch management is a required control for many standards and regulations, many organizations are still missing significant elements of an effective patch management program.
Many solutions do not adequately address third-party applications or COTS solutions. Many organizations are not being aggressive enough with patch management. It is common to see global organizations with only quarterly or semi-annual patch schedules, and product vendors with patch cycles that exceed a year. Any gap in system or application patching exposes those systems to directed and opportunistic attacks.
6. Anti-virus, anti-spyware, and anti-malware
Users remain a significant target within most organizations. Anti-virus, anti-spyware and anti-malware solutions provide some defense against user interaction with Internet sites, malicious files, and email content. Just having the control is not enough, it requires management, review and integration with the overall vulnerability management program. Further, integration with edge-controls, such as IDS/IPS, threat-monitoring and even Internet Access Controls can help with detection of virus/malware events and the efforts necessary for remediation or clean-up activities.
7. Data leakage protection and Internet access control
Data leakage protection (DLP) should be implemented for any site that is concerned with regulatory compliance, protection of corporate confidential information or personally identifiable information. These tools can be used to detect ingress or egress of protected information from an environment. While there are still a number of methods to extract data from environments that cannot be controlled through such means, it significantly raises the bar and prevents many common methods of extracting data from an environment. These systems are also useful in detecting misconfiguration of systems that intentionally move data between environments through common messaging tools.
Internet access control systems provide enforcement of Internet usage. This is valuable even when used only to prevent access to malicious sites. Internet access control systems can be used to identify systems that have been subverted, including botnets, and viruses that communicate over various command and control connections. While there are other ways to control access to Internet sites (or prevent access to specific sites), dedicated systems are easier to manage and support production of consumable management reports.