That and they should harden all there systems and the network so if one infected machine can't do much at all. That's what we do. Sure a machine get infected then it tries to infect other machines only to be blocked by access control lists. If it does find a way past the access control list it gets to harden machine that has no listening ports due to reduced services and personal firewalls. So it's only vector of attack is the server network on limited ports to limited servers that are also hardened. The biggest hole happens to be AD but that's patched regularly limiting it to zero day vulnerabilities. As well there are trip wire everywhere so when a client PC start behaving oddly the network port is shutdown. It's stuff like if services are stopped and started that normally wouldn't be like AV software or if new admin accounts are created the port is downed. If the machine starts trying to communicate to another client PC it's blocked and logged where enough of these shuts the port. Basically an infection is caught in seconds and isolated.
Security is all about layer, monitoring and responding. A blanket ban on USB drives is extreme but there are times when it should be done. More in times when you want to make sure people can't take confidential information home for business or nefarious purposes. But to prevent the spread of viruses it's extreme.
IBM Sponsored Resources
Resources from our Sponsor
- Oracle Exadata vs IBM: Netezza Compared
- Forrester TEI Report
- CIA Whitepaper
- Harnessing the Power of Advanced Analytics
- Tapping into Unleashed Business Potential with Advanced Analytics
- Unlock Analytic Performance with Revolution R for Enterprise and IBM: Netezza Data Warehouse Appliance
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
