Patches are often used to resolve bugs and security vulnerabilities in an application, which means they are critical to ensuring the security of those applications. Organizations should be performing vulnerability scans to identify missing patches and, when a patch for an application is released by a vendor, updates must be applied in a timeframe commensurate with their exposure to vulnerability. They should also be removing applications that are no longer supported by vendors.

Patches on operating systems are intended to fix performance bugs and address security vulnerabilities, and ensuring they are applied can prevent crashes due to software defects and extended downtime during security incidents. Organizations should conduct regular scans for patch updates and apply those updates in a timely manner. All patches for operating systems should be tested before installing to ensure that they are safe.

Multifactor authentication (MFA) prevents unauthorized users or threat actors from gaining access to a computing device, network, or database, and also makes it more difficult to steal legitimate credentials. Organizations should mandate two or more identifiers in addition to a password to gain access to an application or service. In so doing, unauthorized users are unable to meet the second authentication requirement, even in the case that a legitimate credential is compromised.

When threat actors gain access to workstations or servers, they can elevate privileges to spread to other hosts, hide their existence, obtain sensitive data, or resist removal efforts. Organizations should restrict the permissions that allow users to perform certain functions on a system or network, as well as restrict access to certain applications, files, and data. With fewer users able to make significant changes and access sensitive data, the operating environment is more predictable and easier to administer.

Application control ensures the security of systems by controlling the execution of applications based on a set of predefined rules and policies. It ensures that only approved applications can be installed and used, which prevents unauthorized users or threat actors from executing and spreading malicious code. Organizations should identify approved applications, develop control rules to ensure that only approved applications can execute, and validate the performance of these control rules on a frequent basis.

Users can write macros for legitimate reasons, such as improving productivity, but they can also be written by threat actors in order to gain access to a system and perform various malicious activities. Organizations should manage the use of macros and have them checked by assessors that are independent of macro developers. Assessing the safety of a macro involves verifying if there is a business requirement for the macro, confirming that the macro has been developed by a trusted party, and ensuring that the macro is free of signs of malicious code.

Some commonly used applications can perform high-risk functions, and threat actors can exploit these functions in applications that frequently interact with the web. At the very least, organizations should disable unnecessary and/or high-risk functions in these programs. Higher cybersecurity maturity requires a more layered approach, that may involve runtime protection, application monitoring, code obfuscation, and strong authentication requirements.

Backing up important data, software, and configuration settings is part of any strong incident response plan. It’s a precautionary measure that protects against hardware failure, human error, and cyber incidents, by ensuring that an organization can restore important information. Organizations should establish a regular backup routine, with regularity based in how frequently their data changes and how important that data is. There should also be access controls around backups and a process for modification and deletion.