Vulnerabilities in software and firmware are the easiest ways to attack a system, of course, and the two revised publications approach the problem by providing new guidance for software patching and warding off malware.
NIST has first updated its guide to identifying, acquiring, installing and verifying patches for products and systems. The earlier guidance on patching, 'Creating a Patch and Vulnerability Management Program', was written when patching was a manual process. The revision, 'Guide to Enterprise Patch Management Technologies', is instead designed for agencies that take advantage of automated patch management systems, such as those based on NIST's Security Content Automation Protocol (SCAP). The guide explains the technology basics and covers metrics for assessing the technologies' effectiveness.
The second security document, NIST's 'Guide to Malware Incident Prevention and Handling for Desktops and Laptops', was updated to help agencies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version was published in 2005. The new guidance reflects the growing use of social engineering and the harvesting of social networking information for targeting attacks.
The new malware guide also provides information on how to modernize an organization's malware incident prevention measures and suggests recommendations to enhance an organization's existing incident response capability to handle modern malware. NIST suggests that organizations should plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used currently and in the near future.
Because the effectiveness of prevention techniques may vary depending on the environment (i.e., a technique that works well in a managed environment might be ineffective in a non-managed environment), organizations should choose preventive methods that are well-suited to their environment and hosts. An organization’s approach to malware incident prevention should incorporate policy considerations, awareness programs for users and information technology (IT) staff, vulnerability and threat mitigation efforts, and defensive architecture considerations.
Organizations should also ensure their policies address prevention of malware incidents, NIST added. An organization’s policy statements should be used as the basis for additional malware prevention efforts, such as user and IT staff awareness, vulnerability mitigation, threat mitigation, and defensive architecture.
If an organization does not state malware prevention considerations clearly in its policies, it is unlikely to perform malware prevention activities consistently and effectively throughout the organization. Malware prevention-related policy should be as general as possible to provide flexibility in policy implementation and to reduce the need for frequent policy updates, but should also be specific enough to make the intent and scope of the policy clear. Malware prevention-related policy should include provisions related to remote workers – both those using hosts controlled by the organization and those using hosts outside of the organization’s control (e.g., contractor computers, employees’ home computers, business partners’ computers, mobile devices).