The Good, The Bad, and The Unknown – Part 1

The year 2010 has already demonstrated more potent exploit of vulnerabilities in standard desktop applications and browsers. Through appropriate deployment of protections, IT teams can build up an integrated base of countermeasures to eliminate fear of the unknown, while protecting against the bad and enabling the good, both good code and the successful operation of your business.

The high volume of malware and vulnerabilities increases the likelihood they will affect your users and systems. With more complex web applications and more users browsing the web on business systems, the likelihood of a breach or major infection increases dramatically.

It takes time to develop patches once vulnerability is uncovered. Some older systems may stop receiving patches. Some bugs will never be patched. When patches become available, Microsoft’s scheduled patch release program, known as Patch Tuesday, means some companies install patches for operating systems and Microsoft applications. More and more, other server- and client-side application-layer vendors, including Oracle and Adobe, are moving to this scheduled release approach. The published schedule also allows attackers to plan. They can capitalize on the window between the time the vulnerability is discovered and the time the signature, patch, or DAT anti-virus file is actually installed.

Many attackers are focusing their energies on the client because it is now seen as a weaker link since servers tend to be patched first because of their value as a shared resource.

Several different types of protection at the client level in addition to a defense in depth approach at the gateway and network level are important in defending systems, including:

• Anti-malware on the client— you should have anti-malware (anti-virus and anti-spyware) installed on the system itself. If DAT downloads occur regularly (and most solutions download at least daily), they should blacklist, or block, based on the signature for a known vulnerability.

• Host intrusion prevention on the client—your host intrusion prevention system will also be a key defense and will protect against new vulnerabilities and exploits.

• Application whitelisting. For situations where desktops need to be locked down so that only authorized applications run, e.g., COE environments or where valuable data resides- we recommend augmenting your current defenses with application whitelisting. Or, you have fixed function systems that cannot be patched, application whitelisting will ensure only approved good code is the only code allowed to run. This type of protection can block unauthorized changes to applications, effectively locking down system configurations to a known good state.

Tags: Cybercrime, Endpoint Protection, Patch Tuesday