On-demand risk and compliance software provider Qualys has launched a new piece of research which provides a neat if somewhat depressing snapshot into the attitude of organisations to patching known vulnerabilities.

The vendor analysed over 680 million vulnerabilities out of which 72 million are critical, generated by around 80 million scans of its customers' systems last year.

According to the findings, the average time it takes for firms to patch just 50 per cent of the critical vulnerabilities they find has dropped a tiny amount from when similar research was done in 2004, to about 30 days.

Some industries are doing well - the service industry has the shortest recorded time of 21 days - while others are less good; manufacturing ranked last with 51 days, for example.

According to Qualys CTO Wolfgang Kandek, there is now consciousness about patching, which is an important step forward. He added that the figures may have appeared slightly disappointing because the vendor is now tracking more variants than in previous years, so there are in effect more vulnerabilities for customers to patch.

However, the danger lies now not with OS vulnerabities, which he agreed most customers have got on top of, but vulnerabilities in things like media players and other applications.

"The OS is OK but people are missing the other stuff," he warned. "Unfortunately, attackers are not at that level - they've got much better since 2004, with single or zero day threats now common."

Plenty of food for thought for CSOs at Infosecurity Europe this year then.

April 30, 2009 | Permalink | Comments (0)

It's almost upon us now, the most wonderful time of the year for security practitioners - Infosecurity Europe. Kicking off tomorrow in its new home of Earls Court, the event has grown to quite a size over the past four years I've been covering it. Over 300 security vendors and 11,000+ delegates will pack the show floor, alongside keynote presentations from MP David Blunkett, head of information security for the BBC, Julia Harris, and other luminaries of the security world.

Blunkett's speech has been widely trailed already, with the former Home Secretary likely to launch an attack on the government's "woeful lack of awareness" of the threat to the Olympics posed by cyber terrorists.

Also coinciding with the event, as it did last year, is Information Security Awareness Week, an awareness raising project started by the Information Security Awarenss Forum (ISAF).

"This event will provide a focus for awareness activities for suppliers and consumers of advice, will give experts an opportunity for those promoting awareness to collaborate for greater effectiveness, and will deliver a platform for launching initiatives on which to build and whose benefits are expected to continue for the coming weeks and months," said chair of the ISAF, David King.

April 27, 2009 | Permalink | Comments (0)

As Microsoft prepares today to announce its new online email security product, Online Security for Exchange, another firm which has been doing on-demand security for a while, F-Secure, launched a new version of its Protection Service for Business (PSB) solution.

PBS is specifically designed for smaller firms which may not have the in-house expertise and resources to manage on-premise security products themselves, according to F-Secure

Version 4.0, which was announced today, features speed and performance improvements and new email and spam protection, according to the firm.

"For a smaller company the Protection Service for Business subscription-based solution is like having a specialist security workforce armed with the latest technology - at a fraction of the cost of hiring IT staff and buying the technology," argued Juha Ollila, vice president of corporate business at F-Secure.

Customers can buy the PSB as a service, or for the Standard version, buy it in a traditional license model.

The software-as-a-service model is gaining increasing acceptance among firms, as it can free up IT resources to concentrate on more strategic objectives.

F-Secure will be hoping that prospective customers are suitably scared intop buying the service, by recent vendor research showing massive growth in malware over 2008.

April 16, 2009 | Permalink | Comments (1)

You know when a social networking Web 2.0 micro-blogging phenomenon has made it when security firms are starting to release guides about it. Yes, managed security provider Network Box has become one of the first to the party with a new guide to secure use of Twitter.

Written as part of the firm's helpful "securing social media" series, it seeks to explain how you can actually allow what many employees may view as a fantastic business tool, without incurring extra risk.

"Increasingly, it is being used as a communications tool between companies and their customers, to address customer service issues, market new services, share information, or monitor and research what's being said about a company online," says the guide.

"The main risk is similar to that of social networks such as Facebook: trusting networks of people who are unknown to us in 'real' life."

As the guide rightly mentions, most of the Twitter security risks come from potentially malicious links posted by potentially fake account holders, or even from friends' accounts which have been hacked. The increasing number of Twitter applications from third parties can also increase your risk exposure because most ask for your Twitter password, the guide goes on.

"Much of the security on Twitter comes down to applying the same principles as in other media: create and apply a clear user policy; educate employees to use with caution; and keep tight controls on and update your existing security systems to reflect new kinds of use," advises Network Box.

"It is our recommendation that companies should explicitly reference Twitter and microblogs in their Internet and social media user policies."

Crucially, the guide also advises education seminars for staff alongside the usage policies. It has become a bit of a truism these days that AUPs are not worth the paper they're written on unless clearly communicated, and regularly updated and checked, but so few firms seem to adhere to this kind of best practice.

April 8, 2009 | Permalink | Comments (0)

The Conficker Working Group, an organisation set up to provide advice and help on the infamous worm, has launched a handy new checking tool to help users see if they are infected.

The Conficker Eye Chart features six images; the top row featuring anti-virus firms' logos and the bottom row operating systems other than Windows. The test is based on the fact that Conficker blocks access to over 100 anti-virus and security web sites, said the group.

"If you are blocked from loading the remote images in the first row of the top table above but not blocked from loading the remote images in the second row then your Windows PC may be infected by Conficker," say the explanatory notes on the site.

"If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites."

Despite unprecedented hype from various corners of the media prior to April 1 - the day when infected PCs were scheduled to connect to an update server - the predicted widespread disruption failed to materialise.

Experts have suggested that the criminals who own and operate the botnet would not want to risk losing the valuable network by triggering a major attack.

However, the virus still represents a risk to infected PCs and can be removed simply via a clean-up tool which many of the major AV vendors are now offering on their sites.

April 4, 2009 | Permalink | Comments (0)

Anti-malware firm Trend Micro launched some new research today, which sheds some interesting light on the motivation and origins of hackers.

The firm polled around 1,000 parents and teenaged children and found that 40 per cent of kids have hacked into another person's profile to read emails, look at bank account details or log onto another person's social networking profile.

A third admitted to being tempted to try hacking or spying on the internet to make money, while, slightly less worryingly, ten per cent thought it was "cool" or "funny" to pretend to be someone else online.

The stats highlight that Britain is breeding the next generation of computer hackers, and shows that parents need to keep a closer eye on the surfing behaviour of their children, according to Trend Micro.

"In the past, we've seen a large increase in this kind of behaviour in holiday periods," commented Trend Micro security expert Rik Ferguson.

"Parents need to ensure they lead by example at all times, clearly but appropriately lay down some simple family guidelines and make sure they oversee the online activity without being obviously intrusive."

The firm recommended parents keep computers in common areas of the house, to set time limits on internet usage and to check browser history, among other things.

April 3, 2009 | Permalink | Comments (1)