Top Security Threats for 2010
Perimeter CTO Kevin Prince's thoughts on the threats, both growing and persistent, facing your network.
Vendors that fail to fix security issues that have been identified by the TippingPoint security unit of HP within six months are about to get a whole lot less comfortable.
HP says that as part of its Zero Day Initiative (ZDI) program, the company will make public vulnerabilities that vendors are not addressing as part of an effort to not only improve security for enterprise IT overall, but reduce the overhead associated with having to track so many vulnerabilities.
According to Aaron Portnoy, manager of security research for HP TippingPoint, there are now 31 instances where vendors are not issuing patches to fix security issues that were identifed more than a year ago. HP joins Google and others also making public security issues that they discover and vendors leave unaddressed.
The decision by HP to identify long-standing vulnerabiliites, along with suggested remediation, raises a few questions concerning responsible disclosure. After all, putting a spotlight on potential security targets may not have the desired effect in the short term. But then again, if we don't hold vendors to a higher security standard, what hope is there for the thousands of Web applications that are developed by internal IT organizations that are not nearly as skilled in security. In short, examples must be set.
At the moment, one vendor that is drawing a lot of attention from providers of malware is Adobe, which now routinely shows up on lists of security threats. Portnoy says the reason for this is that as operating systems from Microsoft have become more secure, cyber criminals have shifted their efforts to the next most broadly available software that is relatively easy to penetrate. That means Adobe Reader and Flash software are primary malware targets.
Adobe recently signed an alliance to coordinate its security efforts with Microsoft as part of a more concerted effort to address the issue.