By Thomas Kristensen
Vulnerabilities have for a long time been the Achilles heel of IT-security in any networked environment.
As an organisation you may build strong perimeters, educate users, enforce effective policies, deploy signature based security software, harden your systems, and do any other trick in the book, however, one single vulnerability in a common piece of software may prove all your efforts futile!
The Secunia Half Year Report 2010 presents statistics that show that vulnerabilities in common software are being discovered at an increasing rate, causing more and more critical security updates to be released.
The report further focuses on the efforts required to keep your end-points (or private PC) up-to-date and secure against “surf-by-attacks” or other attacks, which even educated users can not possibly recognise.
While the ultimate key to the solution lies with the software vendors who need to spend significant more resources building secure programs and aiding in keeping their customers up-to-date, it is imperative that businesses and end-users start updating all of their programs and demand better security from the vendors.
No security appliance, no new Operating System feature, and no new security program is going to eliminate the risk from running vulnerable software. To secure your network you must enforce a security updating policy, which dictates deployment of security related program updates within a given (short) time frame to minimise the window of exposure.
Doubtless such a policy will be met with resistance in many organisations because of lack of understanding in IT-operations for the threat posed by insecure programs - or simply because operations usually is measured on uptime and reliability and not on security.
Needless to say that top level management needs to get involved and back such policy to ensure that IT-security teams can inspect and enforce security updating policies.