Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

No Security Without Updating

Get this blog as an RSS Feed
As an organisation you may build strong perimeters, educate users, enforce effective policies, deploy signature based security software, harden your systems, and do any other trick in the book, however, one single vulnerability in a common piece of software may prove all your efforts futile!
11:00 CET on the 12th July 2010
Entry written by Thomas Kristensen.

Vulnerabilities have for a long time been the Achilles heel of IT-security in any networked environment.

As an organisation you may build strong perimeters, educate users, enforce effective policies, deploy signature based security software, harden your systems, and do any other trick in the book, however, one single vulnerability in a common piece of software may prove all your efforts futile!

The Secunia Half Year Report 2010 presents statistics that show that vulnerabilities in common software are being discovered at an increasing rate, causing more and more critical security updates to be released.

The report further focuses on the efforts required to keep your end-points (or private PC) up-to-date and secure against “surf-by-attacks” or other attacks, which even educated users can not possibly recognise.

While the ultimate key to the solution lies with the software vendors who need to spend significant more resources building secure programs and aiding in keeping their customers up-to-date, it is imperative that businesses and end-users start updating all of their programs and demand better security from the vendors.

No security appliance, no new Operating System feature, and no new security program is going to eliminate the risk from running vulnerable software. To secure your network you must enforce a security updating policy, which dictates deployment of security related program updates within a given (short) time frame to minimise the window of exposure.

Doubtless such a policy will be met with resistance in many organisations because of lack of understanding in IT-operations for the threat posed by insecure programs – or simply because operations usually is measured on uptime and reliability and not on security.

Needless to say that top level management needs to get involved and back such policy to ensure that IT-security teams can inspect and enforce security updating policies.

Stay Secure,

Thomas Kristensen

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: No Security Without Updating
 
User Message
taffy078 RE: No Security Without Updating
Contributor 12th Jul, 2010 12:07
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Last edited on 12th Jul, 2010 12:07
excellent reminder, easy to understand, and one which applies to home PC-users too.
I bought my first PC in Jan 1999 - it came with the 1999 version of a well-known Firewall/AV program.
But the retailers didn't mention that I had to update it, nor that the (OEM) software had probably been installed in July 1998.

So it came as no surprise to them when I had to return it a month later to be 'cleaned'.

So many of my friends foolishly don't update their software. Unbelievable.
And from reading this article it's clear that many businesses don't update!


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+6
-0

fishdrum5467

RE: No Security Without Updating
[+]
This reply has been minimised due to a negative Relevancy Score.

fishdrum5467

RE: No Security Without Updating
[+]
This reply has been minimised due to a negative Relevancy Score.
Maurice Joyce RE: No Security Without Updating
Handling Contributor 15th Jul, 2010 17:28
Score: 11744
Posts: 9,000
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 15th Jul, 2010 17:35
Are U using PSI in the advanced mode?

Edit: On second thoughts U may benefit from this. Once U get into the swing of it things are fairly easy to fix.

SETTING UP PSI IN THE ADVANCED MODE
+++++++++++++++++++++++++++++++++++
Are U using the latest version of PSI that has the added feature of automatic updates for some programmes? If not,and U would like to try it the download link is here:
http://secunia.com/PSISetupAUTP.exe

Whatever version U currently use try this:

1. Open PSI by clicking the System tray icon or right click the icon & select Reload Interface.

2.Select the OVERVIEW tab.

3. In the top right corner U will see INTERFACE MODE - SIMPLE/ADVANCED. To be in the advanced mode the word SIMPLE should be blue and advanced black.

4. If advanced is blue click it. A message about advanced users may appear - ignore it - using the advanced mode is easy.

SETTING UP PSI FOR MAXIMUM ASSISTANCE
+++++++++++++++++++++++++++++++++++++

1. Click on the SETTINGS tab.

2. The top box should be empty & the two remaining boxes ticked.

3. Right at the bottom is a facility to create Global Ignore Rules. By default PSI scans & publishes the results on all the hard drives of a PC. OEM partition (reinstallation) drives (normally drive D),second internal or external drives SOLELY used to backup your work & C:\Windows\i386 which can be ignored as they have no exposure. To save confusion in the future (by way of "false positives") U may consider it a good idea to create some Global rules now.

4. A separate Ignore Rule is required for each drive which can be set up as follows:

a.Click on CREATE IGNORE RULE

b.In the RULE NAME BOX insert something like MY BACKUP DRIVE (MY PARTITION DRIVE)

c.In the RULE BOX type D:\(or the drive letter U wish to ignore) - For folder i386 use C:\Windows\i386.

d.Click SAVE IGNORE RULE>CLOSE

All drives will continue to be scanned by default but the result from the ignored list will not be published.

This thread has an article by @Anthony Wells that may also be of help in understanding the advanced mode:

http://secunia.com/community/forum/thread/show/375...

It does not contain details of the auto update feature but that is very simple to use. There is a list of programmes under AUTO UPDATES - just tick (check mark) any U want PSI to auto update for U.

If a new Forum Member U might find these interesting reading as well:

http://secunia.com/vulnerability_scanning/personal...

http://secunia.com/vulnerability_scanning/personal...

Version 6 23:45 11/07/2010

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+7
-0
boblgoogl RE: No Security Without Updating
Member 23rd Jul, 2010 13:10
Score: 3
Posts: 1
User Since: 23rd Jul 2010
System Score: N/A
Location: BO
Truth hurts. Secunia helps. Some security software vendors actively promote software "radio buttons" implying updates without specifying they're actually merely selling upGRADES and sales of more advanced or simply higher cost software. Caveat Emptor indeed.
Was this reply relevant?
+3
-0
UnclejackDC RE: No Security Without Updating
Member 14th Aug, 2010 18:12
Score: 0
Posts: 2
User Since: 27th Jul 2010
System Score: N/A
Location: US
Last edited on 14th Aug, 2010 18:12
The interesting side-effect of this is that one can quickly get tired of updating programs that are only of peripheral benefit, or even less.

Do we WANT or NEED {program-x} badly enough that we will be willing to spend a half-hour a week updating it for security purposes, or (worse) living with known vulnerabilities?

Rather than the familiar 1990s slogan, "The one who dies with the most installed software wins," we may be moving to a value judgment that clean-and-lean is the cost-effective approach.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer