Apply appropriate updates provided by Broadcom to vulnerable systems immediately after appropriate testing. (M1051: software update)
Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
Backup 7.4: Perform automated application patch management: Perform application updates to enterprise assets via automated patch management on a monthly or more frequent basis.
Safeguard 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool . Perform scans on a monthly or more frequent basis.
Backup 7.7: Fix Detected Vulnerabilities: Fix detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
Backup 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
Backup 5.4: Restrict admin privileges to dedicated admin accounts: Restrict admin privileges to dedicated admin accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
Prevent access to file shares, remote access to unnecessary systems and services. Mechanisms to limit access may include the use of network hubs, RDP gateways, etc. (M1035: Limit access to resources on the network)
Use intrusion detection signatures to block traffic at network boundaries. (M1031: Prevention of network intrusions)
Backup 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on company assets, if applicable. Example implementations include the use of a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
Backup 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
Backup 13.10: Perform application layer filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
