A corollary to controlling what can be installed is restricting who can install it. To prevent the easy installation of programs that have not been reviewed or approved, don't let anyone run with elevated privileges or permissions most of the time. You can do this using manual processes, privilege identity management (PIM) products, Microsoft's User Account Control (UAC), Unix/Linux's sudoers functionality, or any other method or product that accomplishes the same goal.
The dirty little secret is that removing elevated privileges still won't seal off your defenses. Lots of malicious programs can run or be installed without elevated security privileges. Malicious programs can accomplish nearly every wanted outcome without the user logged in as Administrator or root. They can steal passwords and identities, as well as redirect browsers to places the user didn't intend to go. Nonetheless, you can reduce risk somewhat if users have fewer privileged accounts while reading email or surfing the Web.
Lastly, don't neglect end-user education. After application control, it's the best way to prevent unwanted programs from being installed -- when it's done right. Most end-user education misses obvious points and refers to outdated threats. Get the backing of management, conduct mandatory sessions on a regular basis, and ensure your instruction is current and specific to your organization. When users know what their own antimalware software looks like, they're much less likely to fall for the fake stuff.
Patch everything faster
The other best defense is to patch all software in a timely way. This has been a mantra for more than two decades now, which is why it's so surprising that so few companies patch as quickly as they should. Yes, they're doing better at patching operating systems, but they do a horrible job at patching the most popular Internet add-on products, like Oracle Java or Adobe Acrobat, both of which have been ranked as the most exploited products for years.
Websense recently collected data that showed 74 percent of active computers were still susceptible to Java exploits from 2012. No less than 94 percent were susceptible to the latest patched Java exploit. My personal experience completely backs up these points. I rarely find a patched Java installation. I find unpatched Java on workstations and servers that have no need for Java. This same unpatched Java allows your company to be silently infected over and over.
Your company cannot plausibly claim it cares about the security of its data if it fails to patch the most exploited program of the day. I understand the frustrations and challenges of better patching. I understand that we computer security people would patch things better and faster if it was left up to us. But simply not doing this one thing better means you'll never be free of easy computer compromise. The hackers will always enter your company's boundaries and steal data and passwords at will. You cannot stop them.
Of course it takes more than two computer defenses to make a complete defense. You still face password-cracking hackers, SQL injections, XSS browser attacks, misconfiguration exploits, zero-day vulnerabilities, and so on. But all of those attack types, in aggregate, don't hold a candle to the main two problems. Solve them and you'll be a hero.
This story, "The two steps to radically better security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.