Denys Rudyi - Fotolia
I'm concerned about not knowing what I don't know about the security of my Windows endpoints -- especially regarding malware. If you had to recommend one area of focus to ensure that enterprise desktops are properly locked down from infection, what would it be?
It's good that you're concerned about Windows malware, since study after study shows that software vulnerabilities and related malware infections are a formidable threat to information security in the enterprise. It's how RSA Security was breached and Target was toppled. In fact, according to the 2014 Verizon Data Breach Investigations Report, the top 10 attack vectors for 2013 were related to people (i.e., passwords and phishing) and malware.
Having an endpoint security policy and hoping for the best isn't enough. If I had to recommend one specific area to get under control, it would be to fix the problem with patching endpoints. This goes for desktops, laptops and mobile devices where applicable (especially Windows-based systems).
The problem is that too many people assume that all the right patches are installed on their Windows systems simply because Windows Server Update Services (WSUS) says so. In many cases, users themselves are responsible for updating their workstations. How many people have delayed installing Windows patches because they didn't want to reboot time and again? All of us have!
Furthermore, the majority of missing patches (76%, according to one study) is for third-party software that goes completely ignored altogether. It's bystander apathy at its worst, drive-by security at its finest.
In the majority of the security assessments of internal vulnerabilities that I perform, it's a very predictable scenario: Practically all desktops have zero third-party patches, most Windows servers have unexplained missing patches (typically 5 years old and older), and everyone seems to have their hands tied.
Many network and security admins are stuck with WSUS, don't have the budget for a comprehensive patch management system, and don't trust that their users will do the right thing to keep their software up to date.
Unless and until you address this core issue, vulnerabilities to malware infection will remain. If you are able to get patch management under control, you won't fully eliminate Windows malware, but at least you'll minimize one of the greatest risks your business faces.
If you're sticking with Windows XP, reduce security exposure
More rapid Microsoft updates could affect Patch Tuesdays
A malware infection flowchart can guide admins to cleanup
Dig Deeper on Patches, alerts and critical updates
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.