Beware the browser within

I travel the world helping people make their computers and networks more secure. A question I get asked every week is, "What are the best steps I can take to protect my network?" I can understand the concern. Despite increasing amounts of the IT budget being thrown at the problem, nearly every computer security survey taken says malicious computer hacking has never been worse. It's more criminal in nature and more pervasive, and it's stealing more money and identities than ever before.

In general, we're doing a fairly good job of securing our servers, even though application coding security errors abound and continue to be the main weak server link. But Security Development Lifecycle (SDL) and code review tools are starting to permeate more programming departments. Other initiatives, such as the SANS Secure Programming Assessment program, are working to improve secure programming skills and methodologies.

Despite the advances in programming, we seem unable to convince some end-users to stop clicking on things they should not be clicking on. Client-side attacks continue to be a huge risk in most environments. Malicious hackers aren't as concerned with breaking into servers directly anymore; it's far easier to break into an end-user's workstation inside the firewall and security perimeter, then attack from within. Research the latest public hacking reports -- you'll find a large percentage of them include a reference to an infected insider.

The best bang-for-the-buck defenses for client-side attacks haven't changed in a decade. It doesn't matter what platform you have; whether it's Windows, Linux, BSD, Solaris, AS/400, or a mainframe, the same protection rules apply. If you want a more secure network, focus on these four tasks, in order of decreasing importance:

Prevent people from clicking on things they shouldn't click on

This one is easier said than done. It normally involves all the software and settings we associate with antimalware programs (that is, anti-virus, anti-spam, antispyware, and so on). It means blocking malicious e-mails and file attachments, as well as filtering out malicious Web links. End-user education will never prevent a small minority of users from being tricked into clicking something they shouldn't, so focus on making it absolutely impossible for them to click on the wrong thing. 

Keep your computers and devices fully patched

Keep all your computers fully patched: applications, operating systems, and every computing device. Admins are doing a good job of keeping the OS patched. Heck, in the vast majority of cases, just accept the default vendor settings and your OS should patch itself. Many applications are taking the auto-patch approach, and that is a good thing. Still, I rarely find a company that has even one workstation fully patched and up to date. I'm not talking about a machine that is behind one or two weeks; most computers contain unpatched software many months old.