An IT security pro at a New York financial firm recommends Rapid7 NexposeCommunity edition vulnerability scanner, which aims to support the entire vulnerability management spectrum, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. The free, community edition scans 32 IPs on networks, operating systems and databases.
Rapid7 also offers a free version of its Metasploit penetration testing software for small businesses. The simple web interface lets companies safely simulate attacks on their network to uncover security issues.
Though password management tools have been around for years, users have shied away from them because they were too manual or too difficult to configure and manage, Westervelt says. But new versions, like LastPass, are more automated and easy to use. LastPass offers a free version for computers, and for an additional fee users can download the mobile app for smartphones and tablets.
"It's very intuitive," says Westervelt. "It automatically notices when you're on a site that has [your password] in the vault."
Sometimes security features are hiding in plain sight. "I think that WSUS and EMET from Microsoft are overlooked by a lot of companies, but they are great tools to use," says Steven Becker, an associate vice president of IT security in New York.
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. It uses security mitigation technologies that throw obstacles in the way of the bad guys.
"EMET gives the ability to force programs to use different security mechanisms that are available in Windows," Becker says. For instance, "EMET uses a few different memory addressing protections that make it harder for malware to find the memory space it wants to execute in."
Other advanced features for certificate pinning can aid against phishing attacks, he adds. "Although it requires some homework, it is possible to push EMET and its protection profiles to an enterprise environment through group policy objects."
An overwhelming majority of attacks exploit known vulnerabilities where the patch had been available for months prior to the breach, according to Verizon's DBIR 2015. "So keeping software updated helps immensely against known vulnerabilities," Becker says. Windows Server Update Services allows administrators to manage the distribution of updates that are released through Microsoft Update to computers in their network.
"Ensuring that production machines have the proper security updates in a controlled manner is a huge burden that can be completely automated through the proper use of WSUS and group policy," Becker says. WSUS can also push out third-party updates, such as Java or Adobe Flash, using several different open source package publishers. Both Microsoft security tools are "free" to licensed Windows software or server customers.
Sign up for CIO Asia eNewsletters.