Denys Rudyi - Fotolia

Get started Bring yourself up to speed with our introductory content.

Windows malware must be top endpoint security priority

The number of endpoint security vulnerabilities is daunting, but endpoint admins should first focus on updating patches against Windows malware.

I'm concerned about not knowing what I don't know about the security of my Windows endpoints -- especially regarding malware. If you had to recommend one area of focus to ensure that enterprise desktops are properly locked down from infection, what would it be?

It's good that you're concerned about Windows malware, since study after study shows that software vulnerabilities and related malware infections are a formidable threat to information security in the enterprise. It's how RSA Security was breached and Target was toppled. In fact, according to the 2014 Verizon Data Breach Investigations Report, the top 10 attack vectors for 2013 were related to people (i.e., passwords and phishing) and malware.

Having an endpoint security policy and hoping for the best isn't enough. If I had to recommend one specific area to get under control, it would be to fix the problem with patching endpoints. This goes for desktops, laptops and mobile devices where applicable (especially Windows-based systems).

The problem is that too many people assume that all the right patches are installed on their Windows systems simply because Windows Server Update Services (WSUS) says so. In many cases, users themselves are responsible for updating their workstations. How many people have delayed installing Windows patches because they didn't want to reboot time and again? All of us have!

Furthermore, the majority of missing patches (76%, according to one study) is for third-party software that goes completely ignored altogether. It's bystander apathy at its worst, drive-by security at its finest.

In the majority of the security assessments of internal vulnerabilities that I perform, it's a very predictable scenario: Practically all desktops have zero third-party patches, most Windows servers have unexplained missing patches (typically 5 years old and older), and everyone seems to have their hands tied.

Many network and security admins are stuck with WSUS, don't have the budget for a comprehensive patch management system, and don't trust that their users will do the right thing to keep their software up to date.

Unless and until you address this core issue, vulnerabilities to malware infection will remain. If you are able to get patch management under control, you won't fully eliminate Windows malware, but at least you'll minimize one of the greatest risks your business faces.

Next Steps

If you're sticking with Windows XP, reduce security exposure

More rapid Microsoft updates could affect Patch Tuesdays

A malware infection flowchart can guide admins to cleanup

Dig Deeper on Patches, alerts and critical updates

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Do you agree that patching against Windows malware should be IT's top endpoint security priority? If not, why not?