Posts Tagged ‘it planning’

Bit9 released its annual ranking of popular consumer applications with known security vulnerabilities. The list reveals ‘The Dirty Dozen’ – the most-used applications on Windows that are the most vulnerable to security flaws that could compromise systems and/or private data.

All of the programs considered a security risk in this listing are Windows-based, well-known, and not classified as malicious by IT organizations. However, these programs will have at least one critical vulnerability identified in 2008 or registered with a high security rating. These programs will also rely on end-users to upgrade software, not having the ability to run on centralized enterprise update tools.

In addition to requiring end-users to take responsibility for security updates, the list includes programs that often run outside control or knowledge of IT, resulting in compliance issues and breaches that could lead to heavy fines and losses. However, the list is a little biased, since it is not clear if they are more or less secure than the applications that can be centrally updated. For example, Internet Explorer can be centrally updated, but it is not necessarily more secure than Firefox, which tops the list of the ‘Dirty Dozen’.

The ‘Dirty Dozen’, as ordered by number of vulnerabilities, are as follows:

1. Mozilla Firefox 3.x, 2.x
2. Adobe Flash & Acrobat Flash: 10.0- 10.0.12.36 and 9.0- 9.0.151.0 Acrobat: 8.1.2, 8.1.1
3. EMC VMware Player, Workstation and other products ESXi 3.5 or earlier Workstation 5.5.x Player 2.0.x & 1.0.x ACE 2.0.x & 1.0.x
4. Sun Java Runtime Environment (JRE) Version 6 Update 6
5. Apple Quicktime, Safari & iTunes Quicktime: 7.5.5 Safari: 6.0.5.20B iTunes: 3.2, 3.1.2
6. Symantec Norton products 2.7.0.1
7. Trend Micro OfficeScan 8.0 SP1 before build 2439 8.0 SP1 Patch 1 before build 3087
8. Citrix Deterministic Network Enhancer (DNE), Access Gateway, Presentation Server DNE 2.21.7.233- 3.21.7.17464 Access Gateway 4.5.7 Presentation Server 4.5
9. Aurigma Image Uploader, Lycos FileUploader 4.6.17.0, 4.5.70.0, 4.5.126.0
10. Skype 3.6.0.248
11. Yahoo! Assistant 3.6
12. Microsoft Window Live Messenger 4.7 & 5.1

There has been considerable evidence that requiring end users to make security decisions has led to security incidents, due to lack of knowledge and/or understanding, so in the enterprise setting a centralized approach to IT asset management has often been the norm. The problem with this approach is incorporating the applications that users want and need and figuring out how to manage those appropriately.

Download the report here.

Via Internet News

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile