This white paper outlines the limitations of traditional defense mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them - thereby initiating an arms race with defenders. Security patches are found to be a primary and effective means to escape this arms race as they remediate the root cause of compromise. However, timely patching of the software portfolio of any organisation is like chasing a continually moving target.
� Compliance does not imply security.
� Patching is all about quality not quantity. A comparison of two patching strategies shows that knowing what to patch pays off.
� Research reveals that an 80% reduction in risk can be achieved by patching and identifying either the 12 most risky programs or the 37 most prevalent programs.
Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise. Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on. Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers.
This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
• Limiting users' privileges on end-points it should not be seen as a replacement for vulnerability management and expedited patching of software
• Anti-virus or other protection technologies can?t replace vulnerability management and expedited patching of software
• Effective patch management is an absolute must to reduce the window of exposure and eliminate the root cause of potential compromise
In Aberdeen's research on Managing Vulnerabilities and Threats: No, Anti-Virus is Not Enough (December 2010), we saw that companies perceive malware as both high-incidence and high-risk, and that they are spending a material amount of money on their vulnerability management initiatives. But further analysis shows that in spite of these expenditures they may actually be ignoring as much as 80-90% of their endpoint security-related risk.
• In many ways, managing enterprise risk is like managing cholesterol: It comes in two types, both "bad" and "good"
• Any organization whose business involves networks, computers and application software is at risk due to vulnerabilities in these assets that can potentially be exploited.
• Although senior management should take a closer look to ensure that they are not inadvertently accepting risks by ignoring them (e.g. in the case of third-party vulnerabilities).