That’s the latest in the news from Secunia, one of the internet’s most cautious firms when it comes to reporting trouble. The reason things are accelerating? Why, it’s virtualization, of course.
You may have thought that virtualization would make your life easier, and it will, but only if you take the right precautions, and maintain a vigil on your installations.
A story on InformationWeek highlights the problems and gives some advice –
The number of PC vulnerabilities is going up, and going up fast, according to security firm Secunia. The first six months of 2010 witnessed close to 400 detected vulnerabilities. 2009 saw 420 for the whole year.
More software — more vulnerabilities.
That’s one of the unavoidable conclusions drawn from Secunia’s report on the first half of this year, a year that, if the trends the company perceives continue, will see the number of PC vulnerabilities nearly double before the end of the year.
The dramatic increase in the number of vulnerabilities is traceable, at least in large part, to the amount of software on user’s computers.
Understand virtualization costs to analyze true TCO
Third-party software is a particular culprit, especially when it comes to exposing users to Internet-based risks.
The dilemma is that a lot of that software on your workers’ computers may be software that you’re not aware of, haven’t approved and, even if vulnerabilities have available patches, may not have been patched on all (or any) machines in your business.
In other words, welcome to the real word, 2010-style.
The solution, or at least the response, to that reality takes a few forms.
Clearly, Secunia, as with any other security vendor, wants you to look at its offerings as an approach to dealing with mounting maladies. And that’s a good general first step:
If you haven’t reviewed your security vendor’s products and technologies lately, and compared them to other products on the market, now’s the time to do so.
Second, take the time to take an inventory and find out what your employees are running on their machines:
An audit or inventory of the software installed on company machines not only gives you a tally of what programs are out there and in need of patching or removal, it will also give you a sense of how lax (or solid) your installation of non-company-approved apps policy is.
Always assuming you have such a policy, of course. If you don’t:
Putting a third-party and user-installed software policy in place is crucial, and should be at or near the top of the list for IT security this quarter. Patch policy must be central to your software policy.
And, to return to the first point, when review security vendors:
Look for products or security services that monitor every device and look for any new apps on your systems. Knowing what’s in there will help you keep out the dangerous stuff that’s out there.
Of course this is targeted at the corporate user, but you are no different if you are doing the same things, by using the latest virtualization tools to get more accomplished, or simply use them as a learning tool. What you don’t want to learn is that your grief levels have increased in direct proportion to your applications.
Following good practices means putting them in place on all levels, and using automated checks so that your time is not completely consumed just keeping up with security.
Also, for Windows systems, let Secunia help you on your non-business systems by running the Personal Software Inspector, which will monitor your system for unpatched and out-of-date software. It’s one less thing to have to think about each week. (and if it saves 15 minutes to a half an hour, that’s time you can spend on something less tedious, right?)
Quote of the Day:
If you destroy a free market, you create a black market.
–Sir Winston Leonard Spencer Churchill
Simply piling on more software doesn’t make the system harder to hack or corrupt. Nothing is too big to fail… nothing.