[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
I had a request to change the format of the date in the Subject line to make it easier to sort. So I made the change.
* Swift CEO Expects More Hacking Surprises as Fix Is Years Away
* Despite hacking and snooping fears, web surveillance legislation sails forward
* Forget fingerprints; Iris scans could validate mobile payments
* Cyber Insurance: Is It Worth It?
* sFlow and Network Security: Understanding the Tradeoffs
* Why the shortage of skilled cybersecurity experts will drive up the cost of doing business
* Microsegmentation & The Need For An Intelligent Attack Surface
* 41% of Organisations Unaware of Security Breaches
* Singapore to cut off internet access for gov’t workers
* 33% of UK Firms are Buying Bitcoin in Anticipation of Cyber Attacks
* Three-quarters of UK adults would walk away from a business that has been hacked – banks and HMRC perceived as best at dealing with hacks, while retailers and travel sites below par
* NATO to Invest Billions of Euros to Tap Industry Cybersecurity Know-How
* How to survive in the CISO hot-seat
* How to build a thriving information security function despite the talent shortage
* Security event management: 14 questions to ask before you buy
* Enterprises Rather Pay Bitcoin Ransomware Fee Than Improve Cyber Security
* It takes 248 days for IT businesses to fix their software vulnerabilities
* Real Hackers Don’t Wear Hoodies (Cybercrime is Big Business)
* #Infosec16: AI Could Transform Security Operations … But Don’t Believe the Hype
* CORRECTING and REPLACING HITRUST Pilot Advances Health Industry Cyber Threat Sharing to Combat Ransomware and Other Cyber Attacks
* RSA: Organizations Need to Determine Their ‘Cyber Risk Appetite’
* Vulnerability Spotlight: PDFium Vulnerability in Google Chrome Web Browser
* Vulnerability Spotlight: PDFium Vulnerability in Google Chrome Web Browser
* Perception of cloud security within enterprises is improving
* OPM names first CISO
Swift CEO Expects More Hacking Surprises as Fix Is Years Away
(Bloomberg) — The chief executive officer of Swift, the interbank messaging system embroiled in a global bank-hacking controversy, says to expect more information about breaches to emerge as fully armoring the network’s defenses is likely to take years.
“We don’t think this is going to be solved overnight, so we’ll be looking for a number of quick wins to improve things in the near term,” Gottfried Leibbrandt, Swift’s CEO, said in an interview from the cooperative’s London office on Wednesday. “The full rollout, and the full shore up, will be a matter of years.”
Leibbrandt declined to speculate on who was behind the attack, saying the cooperative isn’t in the business of attributing blame, and that it is too early to tell if the breaches were inside jobs committed by bank employees.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4484b97da2&e=20056c7556
Despite hacking and snooping fears, web surveillance legislation sails forward
The government’s controversial web surveillance legislation continues to make its way towards becoming law.
The bill passed its third reading in the House of Commons by 444 votes to 69: it now goes to the House of Lords where is will face more scrutiny: the government wants the new law to be in force by the end of the year.
One of the most controversial aspects of the Investigatory Powers Bill is that it requires telecoms companies and internet service providers to store information about every person’s communications data – calls, texts and web browsing history for a year.
This goes much further than the US and other European countries as has lead to the bill being known as a ‘snoopers charter’.
Despite the parliamentary debates, it appears that general awareness of the looming legislation remains low: a poll commissioned by human rights campaign group Liberty claims that nine out of ten British adults believe the state surveillance powers proposed by the bill are not acceptable.
Nearly three quarters (72 per cent) claimed they don’t know anything about bill – or had never even heard of it.
According to Liberty’s survey, 38 per cent of respondents believe it would only be acceptable for the government to access and monitor records of communications and web usage if they were suspected of committing a crime: 22 per cent said it would be acceptable only if they have committed a crime.
And while 30 per cent believe it would never be acceptable, eight per cent said they were happy to be monitored like this in all circumstances.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=abf33c2539&e=20056c7556
Forget fingerprints; Iris scans could validate mobile payments
For online purchases, iris scans could help authenticate buyers.
And while SMS (Short Messaging Service) is an option, banks want greater security when using SMS payments.
That’s where a multimodal approach — integrating facial, voice and behavorial scans into what’s required for a purchase — might help.
One reason for the slow adoption of mobile payments in the U.S. is that consumers don’t see the value of using a mobile device instead of a credit card, she added.
The roll-out of chip-enabled credit cards in the U.S. could eventually help boost interest in mobile payments, but hasn’t apparently made a big difference so far.
A U.S.
Federal Reserve survey of 2,137 people published last year showed that 75% didn’t use mobile payments because they felt it easier to pay with cash or a credit or debit card, while 59% were worried about the security and privacy of mobile payments.
Different biometric approaches are needed depending on the type of mobile payment.
In-store, most customers wouldn’t want to pose for a few seconds in front of other customers in line for a facial or voice scan.
Meanwhile, Huang found that palm vein sensors would be an optimal point-of-sale authentication technology, but would be prohibitively expensive.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a5c08b9a06&e=20056c7556
Cyber Insurance: Is It Worth It?
Just days after a federal appellate court supported a community bank’s claims that its $485,000 account-takeover loss should be covered by insurance, a federal district court in Arizona ruled that restaurant chain P.F.
Chang’s China Bistro should not be reimbursed by its cyber insurer for fees it paid to its merchant services provider related to its 2013 card breach.
It’s the second legal setback for P.F.
Chang’s in recent months.
In April, a federal appellate court ruled that a consumer class-action suit filed against the chain could move forward (see P.F.
Chang’s Ruling: Is the Tide Shifting?).
“In this age of uncertainty, as it relates to hacking and cyber liability, an important mitigant for companies is cyber insurance,” says cybersecurity attorney Chris Pierson, CISO and general counsel at invoicing and payments provider Viewpost. “But if it becomes more difficult for companies to get policies that will … cover losses, companies may decide going forward that it may not be worth investing in cyber insurance. [The P.F.
Chang’s] case could prove to be a very important event that helps companies decide if they will buy cybersecurity insurance policies.”
Most insurers don’t offer coverage for fees assessed by Visa and MasterCard, which are often passed along to retailers by processors and banks that offer merchant services, Litan says.
Those fees are considered to be part of the card associations’ regular business practices, which are included in merchant contracts, she explains.
The court ruled that Federal Insurance Co. was not responsible for covering breach-related fees that are paid to a third-party under contract.
“Everyone in the card food chain wants to be made as whole as possible,” Pierson says. “Visa and MasterCard are looking to make sure they are made whole; merchant services groups and processors want to be made whole; and the third-party institutions want to be made whole.”
As a result, cyber insurance is at an important crossroads, he adds. “Companies implement cybersecurity insurance to mitigate harm that cannot otherwise be mitigated by security controls or people.
To the extent cybersecurity insurance becomes unusable, the market incentives for securing this will disappear.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=319313427a&e=20056c7556
sFlow and Network Security: Understanding the Tradeoffs
sFlow, which is short for “sampled flow,” provides an industry standard for exporting truncated packets with interface counters.
The sFlow Agent is a software process that runs as part of the network management software within devices, such as routers or switches.
The sFlow agent packages the data into sFlow datagrams that are immediately sent on the network to minimize memory and CPU requirements.
According to sFlow.org – the authoritative source of the sFlow protocol specifications – sFlow offers a number of advantages
NetFlow is a proprietary protocol from Cisco to collect IP network traffic as it enters or exits an interface.
JFlow is Juniper’s flow protocol, and there are other XFlows from a variety of vendors, and for the purposes of this discussion, they are all very similar to NetFlow.
Internet Protocol Flow Information Export (IPFIX) – an IETF protocol that defines how IP flow information is formatted and transferred from an exporter to a collector – is based on NetFlow v9.
Unlike sFlow, NetFlow isn’t sampled, but it is cached and then exported based on active and inactive timeouts.
The lowest possible value for exporting active flows is one minute, and inactive conversations are exported every 15 seconds.
This means that information about ongoing conversations is exported with a delay of at least one minute.
While this gives sFlow a point in its favor, many newer NetFlow exporters can be tuned to export at higher rights, diminishing sFlow’s speed advantage.
NetFlow/IPFIX traffic can be sampled, and sFlow is, by definition, always sampled.
Sampling can significantly reduce CPU usage, but is sampling network flow traffic in general a good idea for security purposes.
The short answer is that sampling is not ideal for ensuring you have maximum visibility for maximum security and protection.
One other “feature” of sFlow is that sampled packets get forwarded as they are picked up, but they are not timestamped.
This means there is a small level of uncertainty about the exact capture time of the packet.
So, when it comes to network security, can you use sFlow.
Or do you really need a Netflow/IPFIX solution.
The answer is that it depends.
Sampled sFlow is very powerful for fast DDoS detection.
If you are an ISP or a large enterprise and plans to use NetFlow for data and security analysis, that can justify the increased hardware cost associated with tracking every communication.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5b99c5dd98&e=20056c7556
Why the shortage of skilled cybersecurity experts will drive up the cost of doing business
A recent report by SEEK.com showed the year-on-year growth in demand for these experts at 57%, and it’s evident that while companies need specialists to keep their networks and companies secure, there are an insufficient number of skilled employees available to fill these roles.
In an interview with CIO.com.au, MailGuard CTO Jason Pearce said “For Australia it’s almost at a critical point.
As a cyber security company to find goods skills in the market is very hard.
If you can’t attract skills locally, organisations have to go offshore and find people to bring into the country.
In an interview with CIO.com.au, MailGuard CTO Jason Pearce said “For Australia it’s almost at a critical point.
As a cyber security company to find goods skills in the market is very hard.
If you can’t attract skills locally, organisations have to go offshore and find people to bring into the country.
From an operational cost perspective, organisations are invariably turning to technological solutions as they explore new avenues to reach customers and strive for competitive advantages across their business.
In doing so, not only do businesses need to wear the costs of improving their offerings to stream-line and automate processes, and to create direct (web and mobile) channels to serve and support customers, but those businesses must also consider the associated security costs too.
Perhaps one of the most detrimental costs attributed to this shortage is the reputational damage associated with cyber issues.
Without investing appropriately in cybersecurity professionals to implement effective threat protection measures, businesses risk erosion in business trust and reduced consumer confidence, which are potentially far greater costs than purely financial ones.
Leaders in the cybersecurity industry also need to actively work with universities to design internship programs that expose students to the security landscape.
Giving universities access to cybersecurity experts who can share their real-world experience with university students is the way forward in reducing this skills shortage and defending the state of the nation against cyber attack.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=df2315d8ff&e=20056c7556
Microsegmentation & The Need For An Intelligent Attack Surface
There is a set of microsegmentation technologies available and being considered for usage today that optimize on the lowest-common denominator of security.
These technologies offer a relatively simple security model applied to as many form-factors and variations of applications as possible: containers, VMs, on-premises, cloud, bare metal, and network device.
In optimizing on as many possible computing platforms as possible there are a set of tradeoffs that are made versus the depth of policies necessary for the top tier of application: those that provide control point services supporting the entire enterprise.
Microsegmentation systems optimize on reach and attempt to provide a baseline level of security across as many disparate systems as possible.
This includes workloads that currently reside on everything from bare metal servers and mainframes, to virtual machines, containers, cloud providers, and firewalls.
The larger the number of device types that can be supported by a vendor, the more broadly the policies can be applied to a given enterprise.
The main difference is that — as opposed to “shrinking” the attack surface — this path focuses on replacing the attack surface altogether.
This model creates an intelligent wrapper in which you encapsulate the workload you are protecting.
There are several key capabilities required to encapsulate a workload:
1) Control Administrative Access
2) Control Transport Protocols
3) Control Authentication
4) Control Storage Access
5) Control Operations
For Tier 0 applications throughout your enterprise, take a look at your zoning and supporting policies.
There has been a lot of talk about reducing the attack surface, and for some Tier 1 and 2 applications and user-to-server access, that may be appropriate.
But for Tier 0, such as your command and control infrastructure or your systems of record, consider removing the attack surface altogether and placing an abstraction layer around the application that provides the actionable intelligence your Infosec team needs to protect your operation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a5954a6e9e&e=20056c7556
41% of Organisations Unaware of Security Breaches
UK organisations are ill-equipped to mitigate today’s increasingly complex threat landscape, according to new research from Node4.
The survey of 100 UK-based IT decision makers reveals 41% do not know how many security breaches their organisation has suffered in the last 12 months.
The survey, carried out with IT decision makers (ITDMs) in organisations of 50 or more employees, reveals a lack of protection against increasingly sophisticated security risks.
As many as three-quarters (75%) have no DDoS protection in place or Unified Threat Management, rendering them at a disadvantage when attempting to identify, analyse and action threats.
In fact, almost half (46%) lack firewalling security measures.
The full research is covered in a new Node4 IT industry report, launched today IT Security: the evolving threat landscape.
It presents comprehensive insight into current security concerns, the approaches IT decision makers are taking to protect their organisations and, critically, how they can shape IT security strategies to mitigate against cybercrime.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3d5d86cd55&e=20056c7556
Singapore to cut off internet access for gov’t workers
SINGAPORE – Government employees in Singapore will soon lose their internet access at work to make official information systems more secure, authorities said Wednesday.
The government’s Infocomm Development Authority said it has begun disconnecting internet access from the work stations of some government employees, and will expand the removal to all public workers by next June.
The newspaper said government employees who need the internet for work will be issued separate laptops with web access.
If they don’t, they can use the internet on personal tablets or cellphones without access to government networks, it said.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4b87d2b09&e=20056c7556
33% of UK Firms are Buying Bitcoin in Anticipation of Cyber Attacks
A cyber-security survey by remote access developer Citrix has found an interesting use case for holding bitcoin – being prepared to pay a ransom to hackers holding your files captive.
The poll asked 250 British IT and cyber-security specialists representing companies of various sizes about their preparedness for cyber-crime and found that 33% said they were buying bitcoin in order to be able to pay off future ransomware attackers.
According to the survey, the storing of bitcoin or other cryptocurrencies is being done by 36% of the smaller businesses who participated (those with 250-500 employees) and 57% of medium firms (those with 501-1000 employees).
Only 18% of the larger firms (those with more than 2,000 employees) said they keep a similar ransomware stash, however they did say they are willing to pay up to £50,000 in order to unlock their files if they contain important intellectual property or business critical data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c06948cffd&e=20056c7556
Three-quarters of UK adults would walk away from a business that has been hacked – banks and HMRC perceived as best at dealing with hacks, while retailers and travel sites below par
A new study from Centrify reveals that 75 per cent of adults in the UK would stop doing business with, or would cancel a membership to, an organisation if it was hacked.
This suggests, however, that a quarter would carry on using that company, despite the security risks to both personal and financial information.
To some degree, most consumers expect to be hacked today, with 73 per cent in the UK admitting that it has become normal or expected for businesses to be hacked.
Despite this, only half feel that they are taking enough responsibility for the security of their customers’ or members’ personal information.
Most people believe that the burden of responsibility for security falls to the business.
About two-thirds in each country rated organisations as a 9 or 10 on a 10-point scale in terms of how responsible they should be for preventing hacks and securing the personal information of their customers.
According to the survey, financial institutions have the best reputation when it comes to dealing with security breaches compared to other sectors.
They top the list of seven different industries in terms of how well they handle security issues for their customers, although government/local government and HMRC come in a respectable second.
Worryingly, retailers rank fourth and travel sites fifth in each country, while membership and hospitality businesses are the lowest ranked.
The Centrify study also shows that organisations are increasingly going public with news of security attacks and data breaches, often notifying their customers directly.
Around one third in the UK have been notified of a hack.
Of those notified of a hack, less than half (45 per cent) of those in the UK found out that their personal information, such as an address or credit card information, had been compromised.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0bb914043f&e=20056c7556
NATO to Invest Billions of Euros to Tap Industry Cybersecurity Know-How
NATO is dangling roughly 3 billion euros ($3.4 billion) in funding for future cyber-based initiatives to match—and then surpass—the increasingly sophisticated attacks against its 28-member alliance, officials announced Tuesday on the inaugural day of the NITEC 2016 conference.
The NATO Communication and Information (NCI) Agency launched its small business mentoring program to harness the help small and medium enterprises (SMEs) contribute to NATO cyber defenses and help address emerging threats, such as three trends that prove most concerning for global government leaders, Adm.
Michael Rogers, USN, commander of U.S.
Cyber Command and director of the National Security Agency, shared at the conference, presented by the NCI Agency and AFCEA Europe and organized in cooperation with the Estonian Ministry of Defense.
NITEC 2016 runs from June 7-9 in Tallinn, Estonia.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=00396b91ed&e=20056c7556
How to survive in the CISO hot-seat
The CISO is a precarious job.
Research studies indicate that CISOs typically survive just 18 months to two years in a job which is increasingly complex and multi-skilled.
The consultancy found that CISOs on average spend 77 percent of their time as “technologists” and “guardians” on technical aspects of their positions, although they would like to reduce this to 35 percent – a sign of the times perhaps.
“The position as CISO is not for the faint of heart, it requires knowledge of disparate security technologies, risk management frameworks, as well as network and security architectures,” he said, adding that an understanding of federal and state law, as well as compliance and in developing security strategies, is also required.
Forcepoint Deputy CISO Neil Thacker told CSO that the five main challenges for today’s CISOs are managing risk, communicating with major stakeholders, managing security operations, ensuring data protection and guarding against the insider threat.
Matt Palmer, CISO at insurance broker Willis Towers Watson, says that often the biggest challenge is for security heads to look at how they can improve security operations.
“Most of the time in a large organization you will be spending your time with issues that are either historical or immediate, they require operational or tactical decisions rather than strategic.
Yet, the world is changing so fast that you have to be ruthlessly strategic.
When you try to do so, visibility is limited and the future often foggy.
Finding that clarity and aligning strategic and operational priorities in the best interest of all stakeholders is the challenge we face.”
Yet he adds that there are other pertinent issues, from educating, informing and managing expectations of senior stakeholders to improving security processes.
“A successful CISO is the person who is approachable and can help make educated decisions before, during and post incident.
They will have a good knowledge of the organization and understand the inner workings from business process through to data processing whilst utilizing their knowledge and intel from the threat and risk landscapes to position their team to be most effective when an incident arises.”
“I have yet to meet any CISO who thinks they have been successful, we are all too aware of the scale of the challenge and that the job is never done.
If you are one step ahead today, you are one step behind tomorrow.”
One question that continues to abound, even now, is how CISOs work with senior management.
In my recent piece, it was suggested that sacked CISOs often fall down on articulating the security problems – and solutions – to senior management.
And experts say that board understanding and security budgets are invariably linked.
“Boards and non-execs today often set a high standard, but very few have security expertise or seek external advice to challenge their internal security team effectively,” says Palmer, adding CISOs should always look to use their budget wisely, and utilize existing technology resources where possible.
As we explored recently, sacked CISOs are surprisingly hard to hear of, with most let go on “agreeable” terms in order to protect the public image of the company.
Yet CISOs do bounce back – even after multiple firings, illustrating the demand for these professionals.
“The best career development for me is to do what I do better.
Security practitioners should never stop learning.
Find team members who are better than you or develop them until they are better than you.
Make sure they have good challenges and be open to debate to so they will challenge you and make you better.
Keep finding better ways to listen and communicate.
Doing things outside work helps too.
“A successful CISO will be involved in these communities and not only should offer advice and become a mentor, they will also learn from others such is the vast, varied challenge information security offers.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d3db985e67&e=20056c7556
How to build a thriving information security function despite the talent shortage
Much of the business world now recognizes the challenge in hiring enough qualified information security professionals.
As evidence of this, it was reported as part of the 2015 Global Cybersecurity Status Report that 92% of companies surveyed that planned to hire information security professionals, expected to have trouble doing so.
As I mentioned in “Good information security is fun-damental,” many organizations have sought to solve the staffing shortage by spending large amounts of capital on products designed to shore up security.
Unfortunately, virtually all of these expensive new products require significant care and feeding.
It would be a wonderful world if we could buy automation products that would provide great protection, and with only an on/off switch, but alas, the industry is not there yet.
As such, companies are discovering that once they buy that $250,000 security product, they need to immediately hire three people to manage it.
There are many tools and approaches available for automating routine monitoring.
My favorite class of tools in this area is log monitoring (Splunk, Greylog, Sumo Logic, etc).
These tools require some setup, but once done, you have one place to look for log entries from all of your systems, with some analytics functions that shortcut the monitoring effort.
There are many tools and approaches available for automating routine monitoring.
My favorite class of tools in this area is log monitoring (Splunk, Greylog, Sumo Logic, etc).
These tools require some setup, but once done, you have one place to look for log entries from all of your systems, with some analytics functions that shortcut the monitoring effort.
There are many interns looking for some experience in information security as part of their college education.
Hiring them can be an invaluable approach to augmenting your security function.
Many information security functions can be outsourced, thus transferring your talent shortage problem to a vendor.
Examples of good outsourcing candidates include security operations and monitoring, firewall management, and patch management.
Bottom line: Staff shortages in information technology are not a new problem.
The specific discipline in short supply may change, but the problem will likely always be with us.
By being innovative and using sound management practices, you can thrive despite the lack of talent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=596cd800d3&e=20056c7556
Security event management: 14 questions to ask before you buy
Demand for security information and event management (SIEM) technology is high, but that doesn’t mean businesses are running these products and services smoothly.
According to a report from Gartner, large companies are reevaluating SIEM vendors due to partial, marginal or failed deployments.
While the core technology has changed little in the last decade, its use cases and the pace at which businesses have adopted it have prompted a transformation, experts say.
If your SIEM isn’t meeting your standards, start by examining your environment, needs and capabilities first — then choose the appropriate solution that will deliver.
Here’s a look at 14 questions you need to ask both yourself and your vendor before you buy.
1- Is your current SIEM the problem?
2- Can you afford it?
3- What do I want to monitor?
4- What’s your commitment to SIEM?
5- How will I be charged?
6- Where does security analytics fit in your roadmap?
7- How do you support cloud environments?
8- How will you enable automation in the future?
9- Who are your partners?
10- How will you advance the SIEM?
11- I want to control the SIEM on-premises. What help is available?
12- I want to outsource this. How will you support me?
13- What training is available for my team?
14- Can you solve my specific use case?
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=615c092c9b&e=20056c7556
Enterprises Rather Pay Bitcoin Ransomware Fee Than Improve Cyber Security
One of the more disconcerting trends in the world we live in is the emergence of ransomware and malware attacks.
Things have gotten so much out of hand that companies are proactively buying Bitcoin to pay any ransom in case an attack happens.
While this may be a sound decision in some people’s eyes, the companies are inviting hackers to “do their worst”.
Citrix conducted a small survey to see how enterprises are dealing with malware and ransomware threats.
As it turns out, some of them turned to stockpiling Bitcoin to get rid of an infection as soon as possible.
To be more precise, on in three of the 250 companies indicates this was their current course of action.
The bigger concern is how this study also indicated half of the respondents do not perform regular data backups.
In this day and age of cyber security and data breaches, enterprises need to get their priorities in order.
Buying Bitcoin and playing the victim will not win them any sympathy.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b85b7bb387&e=20056c7556
It takes 248 days for IT businesses to fix their software vulnerabilities
Compiled using data collected from tens of thousands of websites, a new WhiteHat Security report reveals that the majority of web applications exhibit, on average, two or more serious vulnerabilities per application for every industry at any given point in time.
The findings also highlight that the IT and retail industries struggle to remediate in a timely manner.
It takes 248 days for IT and 205 days for retail businesses to fix their software vulnerabilities.
According to the “Window of Exposure” data in the report, another key metric organizations need to pay attention to is the number of days an application has one or more serious vulnerabilities open during a given time period.
Across all industries, a substantial number of web applications remain always vulnerable.
A few key highlights:
IT – 60 percent of web applications are always vulnerable
Retail – half of all web applications are always vulnerable
Banking and financial services – 40 and 41 percent of web applications are always vulnerable, respectivel