In my previous post, I kicked off 2011 with a recommendation for improving your “security bang for the buck” or quick wins for information security in 2011 – increasing patching breadth and depth.
Here’s a few more to consider in 2011:
- In a response to this post on the value (or lack thereof) of antivirus technology, one of my blog readers had proposed “disabling autorun” on removable media and I agree.
- In a response to the reader’s comment above, I added this recommendation: activate the data execution prevention capabilities of your OS and extend this to the applications running on the OS. Windows, Mac OS, and Linux all support this built in capability of Intel and AMD x86 hardware.
- Shift more users to run with standard user privileges and use the migration to Windows 7 as a catalyst to make this change. I’ve stated this many times over the past year and will continue to do so in 2011.
- Upgrade to the latest version of the EPP software you use to protect users. In nearly all cases, these upgrades are covered under existing maintenance contracts.
- Beef up the capabilities of the device between the user and the web. Historically, this was a a proxy device with URL filtering; however, the next-generation of these devices (which we refer to as secure web gateways – SWG) go well beyond this with full antimalware scanning and URL reputation services.
- Better yet, supplement the on-premises SWG above with cloud-based SWG filtering capabilities for users which are not connected to the enterprise network (and thus aren’t having their traffic filtered with on-premises SWG devices). Most of the leading SWG providers have made acquisitions to provide exactly this capability
- In addition to patching breadth and depth, make sure you have established secure configuration standards for all machines – desktops, servers and laptops – and are regularly scanning all machines for correct configuration and drift.
All of the above are relatively low cost, but provide a significant improvement in overall security levels without breaking the 2011 budget.
Category: Beyond Anti-Virus Cloud Security Endpoint Protection Platform Windows 7 Tags: Best Practices, Beyond Anti-Virus, Cloud Security, Endpoint Protection Platform, Information Security, Lockdown, Reducing Cost, Security No-Brainer, Windows