In Aberdeen's research on Managing Vulnerabilities and Threats: No, Anti-Virus is Not Enough (December 2010), we saw that companies perceive malware as both high-incidence and high-risk, and that they are spending a material amount of money on their vulnerability management initiatives. But further analysis shows that in spite of these expenditures they may actually be ignoring as much as 80-90% of their endpoint security-related risk.
Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise. Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on. Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers.
This paper discusses the limitations of security by denying users
This white paper outlines the limitations of traditional defense mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them - thereby initiating an arms race with defenders. Security patches are found to be a primary and effective means to escape this arms race as they remediate the root cause of compromise. However, timely patching of the software portfolio of any organisation is like chasing a continually moving