On a regular basis, such as monthly, effective organizations download and test the free EICAR file to verify that anti-virus protection is functioning on a sampling of protected workstations and servers. Anti-malware tools should detect this benign file, and security personnel verify that the detection event is noted in enterprise monitoring and alerting systems.
Organizations can use commercial software update products on Windows and various free Linux software update tools to deploy patches and up-to-date versions of software throughout an environment. To verify that such software is successfully deployed, the update tool itself is run to check the version installed on a sample of enterprise systems. Other organizations use a commercial version-checking tool to ensure that updates have been applied to systems.
Advanced: Some enterprises deploy the free honeypot and tarpit tools to identify attackers in their environment, running this free software running on low-cost hardware. Security personnel continuously monitor honeypots and tarpits to determine whether traffic is directed to them and account logins are attempted. When they identify such events, these personnel gather the source address from which this traffic originates for a follow-on investigation.
Critical Control 13: Limitation and Control of Ports, Protocols and Services
How do attackers exploit the lack of this control?
Attackers search for services that have been turned on and that can be exploited. Common examples are web servers, mail servers, file and print services, and DNS servers. Many software packages automatically install services and turn them on as part of the installation of the main software package without ever informing the user that the services have been enabled. Because the user does not know about the services, it is highly unlikely that that the user will actively ensure the services are disabled if they are not being used or regularly patched if they are being used.