One of the nice things about the ASD's Strategies to mitigate Targed Cyber Intrusoions is that they rank them by effectiveness. Saying that their top four would prevent 85% of intrusions.
Their top four are:
- Application Whitelisting.
- Patching Applications.
- Patching Operating System Vulnerabilities.
- Restrict Administrative privileges.
Patching is two out of the top four recommendations and has long viewed by many IT Security professionals, my self included as one of the easiest things to do that gets you the best bang for your buck.
I was at a meeting recently where someone said an exploit had not been used against their network in about 6 months. The implication was that a huge percentage of malware these days is delivered as an .exe in a zip file from an email claiming to be a traffic infringement or something similar. Suggesting that patching is no longer the easiest win for IT Security.
I'm not entirely convinced that exploits are no longer being used, I think there are plenty of hacked sites and malvertising campaigns that take advantage of unpatched browsers or out of date applications like flash. But I can see a bit of a shift from using exploits to infect computers to simply sending a trojan or a phishing email and relying on tricking users.