An alarming 4,347 new security vulnerabilities were reported in 2012, the highest number over the last three years. This means that last year nearly 12 new security vulnerabilities were discovered each day – when compared to the 3,532 vulnerabilities reported for 2011 (a rate of about 10 new vulnerabilities discovered every day).

# of vulnerabilities 2007 – 2012 (Click to enlarge)

If we break down the number of vulnerabilities by severity there are fewer high severity vulnerabilities than there were in 2011. It is the number of medium and low severity vulnerabilities that has consistently increased.

Around 35% of the vulnerabilities discovered in 2012 were rated as having a high severity level. This percentage of high severity vulnerabilities, while still significant and considerably higher than vendors and customers would probably like, has been on the decrease for the last five years.

Vulnerability distribution by severity – 2012 (Click to enlarge)

High severity vulnerabilities 2008 – 2012 (Click to enlarge)

A total of 1107 vendors reported vulnerabilities in 2012, with the top 10 vendors reporting 41% of vulnerabilities. If we compare this figure to previous years, we can see that hackers and security researchers seem to be focusing on a larger number of vendors, and that the percentage of vulnerabilities found by the major vendors is gradually decreasing.

Vulnerability trends for top vendors 2010 – 2012 (Click to enlarge)

Top 10 vendors by number of vulnerabilities reported in 2012:

Top 10 vendors by number of vulnerabilities – 2012 (Click to enlarge)

While the above list contains almost the same vendors as it did in 2011, some of the rankings have changed. Let’s look at a few details:

»      Oracle tops the chart with 424 vulnerabilities, much higher than their 262 entries in 2011. A significant number of these vulnerabilities are related to Java.

»      Apple has reported the most high severity vulnerabilities during 2012. Safari, iTunes and iOS generated most of them.

»      Microsoft continues to decrease the number of vulnerabilities it reported with 169 vulnerabilities, down from 244 in 2011 and 318 in 2010.

»      Google had the most vulnerabilities in 2011, but now lies in sixth position with only half of the vulnerabilities they reported in 2011.

86% of reported vulnerabilities come from third party applications, 10% from operating systems and 4% from hardware devices.

Vulnerability distribution by product type – 2012 (Click to enlarge)

Cisco is by far the most targeted among hardware device vendors. For operating systems and third party applications more details are available below.

Most Targeted Operating Systems in 2012

Most Targeted Operating Systems in 2012 (Click to enlarge)

For the first time in several years Microsoft operating systems do not monopolize the top five positions. Windows operating systems still generate huge interest, but when compared with 2011 they have seen a drop of around half the vulnerabilities reported. They have now been surpassed by Apple iOS which saw 86 vulnerabilities – more than double the 35 entries reported in 2011. These numbers confirm that mobile platforms are garnering more and more attention from security researchers and hackers.

An interesting entry into the chart this year is VMware ESX/ESXi. The virtualization market is growing and the security focus has shifted to follow the trend.

Most Targeted Applications in 2012

Most Targeted Applications in 2012 (Click to enlarge)

The top targeted applications are, with a few minor changes, the same as in previous years. However, when compared against 2011 figures, RealNetworks RealPlayer and Microsoft Office no longer occupy the top slots. New entrants are ESR versions of Mozilla Firefox and Thunderbird, as well as FFmpeg. Click here to view and compare with statistics from 2011.

Other interesting highlights are:

»      Consistently, year after year, web browsers and their add-ons continue to generate the most interest.

»      454 vulnerabilities were reported in 2012 for the top five web browsers (Mozilla Firefox, Google Chrome, Apple Safari, Microsoft Internet Explorer and Opera Browser). This figure is greater than all the vulnerabilities reported in 2012 for all operating systems combined (which had “only” 436 vulnerabilities). However, it does represent a drop over 2011 when the top five browsers accumulated 515 vulnerabilities between them.

»      Mozilla Firefox had 159 vulnerabilities during 2012 making it – once again – the application with most vulnerabilities discovered for the year. The last time it held this ‘honor’ was in 2009, with Google Chrome occupying the top spot in 2010 and 2011 (and this year falling just behind Mozilla products).

»      To keep systems secure, it is critical to maintain them fully patched. It is important to dedicate extra attention and assign priority to:

• Operating systems
• Web browsers
• Adobe free products (Flash Player, Reader, Shockwave Player, AIR)
• Java
• Apple applications (iTunes and QuickTime)

So how can you keep your systems secure and fully patched with little effort? Have a look at what GFI LanGuard® can do for your business today!

]]> http://www.gfi.com/blog/report-the-most-vulnerable-operating-systems-and-applications-in-2012/feed/ 3 http://www.gfi.com/blog/security-patching-trends-for-major-software-vendors/?utm_source=rss&utm_medium=rss&utm_campaign=security-patching-trends-for-major-software-vendors http://www.gfi.com/blog/security-patching-trends-for-major-software-vendors/#comments Tue, 13 Mar 2012 17:00:22 +0000 Cristian Florian http://www.gfi.com/blog/?p=8279 An important aspect of patch management and your patching schedule is to understand the patch release cycles adopted by the most important software vendors. In this post, we take a look at some statistics on this topic and how patch release cycles have changed over the last few years.

The big players in software industry are taking security seriously. They are becoming more efficient in fixing security issues and the results are evident. Six vendors: Microsoft, Adobe, Mozilla, Apple, Oracle and Google, together released 257 security bulletins/advisories fixing 1,521 vulnerabilities in 2011. In 2010, these vendors fixed 1,458 vulnerabilities.

Basically, a typical machine that is not patched will be exposed to between 30 to 50 new security vulnerabilities each month from the last time it was patched. More statistics about vulnerabilities discovered in 2011 are available here.

Microsoft

Microsoft releases their security updates every second Tuesday of the month. The well-known release schedule for security updates helps users to plan their deployment accordingly. It is recommended that new patches are tested before they are applied in a production environment because some patches may cause issues in some cases, from preventing a service to start or crashing the system. Occasionally, when critical vulnerabilities are identified or if they were disclosed to public, Microsoft will release a fix out of the ordinary schedule.

100 security bulletins were released by Microsoft in 2011, addressing 240 vulnerabilities. These are fewer than the figure for 2010 when there were 106 security bulletins released, addressing 266 vulnerabilities. The number of critical security issues detected in Microsoft products is decreasing; however the number of security updates remains high due to non-critical security issues.

Adobe

Adobe adopted the Microsoft model to release their security updates on “Patch Tuesdays”. This is because customers wanted a single patch cycle for both Adobe and Microsoft so that it would be easier for them to maintain their systems fully patched. Adobe products were a preferred target for hackers and security researchers over the past few years and numerous fixed were released as a result.

A total of 29 security bulletins were released by Adobe in 2011, addressing 197 vulnerabilities. This is one less bulletin than in 2010 when there were 30 security bulletins, addressing 202 vulnerabilities.

Mozilla

Mozilla releases a new version of Firefox that includes the latest security fixes every six weeks. Occasionally they release updates containing security fixes out of the normal six-week cycle.

59 security bulletins were released by Mozilla in 2011, addressing 93 vulnerabilities – fewer than the 84 security bulletins released in 2010, addressing 102 vulnerabilities.

Apple

Apple does not pre-announce or release their security updates on a regular schedule, thus making it difficult for companies to prepare for patch deployment in their environments. Apple’s software is also based on a large number of third party components that have their own vulnerabilities. For example, an update for Mac OS X will probably include fixes for Apache, MySQL, Java, OpenSSL, PHP, Python and so on. The problem with this is that there is a period of time that passes between the instance the vulnerability is fixed in the third-party component and the time when Apple updates the component in their system.

Apple do not provide a severity rating for their bulletins, but usually they contain a large number of fixes and must be all considered critical.

The number of security bulletins released by Apple has been pretty constant over the last few years – between 30 and 40 bulletins per year. 38 security bulletins were released by Apple in 2011, addressing an impressive number of 402 vulnerabilities. The same number of bulletins was released in 2010. Two years ago the number of vulnerabilities hit 468.

Oracle

Oracle releases their security updates using two schedules. Java updates are released three times per year in February, June and October. All other products’ security updates are released once per quarter in January, April, July and October.

As the updates are concentrated in quarterly batches all security bulletins from Oracle include a large number of security fixes for a large number of Oracle products (except for the Java updates) and they are all rated critical.

Occasionally – one to two times a year – for some high impact vulnerabilities, Oracle does provide an out-of-band security fix.

334 vulnerabilities were fixed in the nine security bulletins provided by Oracle in 2011. This is more than the 273 vulnerabilities addressed in 2010.

Google

Google releases security updates for Google Chrome all the time, even three times a month. Their release cycle is fast and the product is updated on a continuous basis. This is ok for home users that leave the product to automatically update itself, but for enterprises that want to test patches before applying them in a production environment it can be overwhelming: Google Chrome gets a larger number of security fixes, and twice as often, than all Microsoft products together. The number of vulnerabilities discovered in Google Chrome is also on the increase.

22 Google Chrome updates contained security fixes for 255 vulnerabilities in 2011. This is more than the 147 vulnerabilities addressed by security fixes in 2010.

Sources:

Microsoft – http://technet.microsoft.com/en-us/security/bulletinarchive?y=2012&m=1

Adobe – http://www.adobe.com/support/security/index.html

Mozilla – http://www.mozilla.org/security/announce/

Oracle – http://www.oracle.com/technetwork/topics/security/alerts-086861.html?ssSourceSiteId=ocomen

Apple – http://support.apple.com/kb/HT1222

Google - http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Like our surveys and infographics? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!

In 2011, the National Vulnerability Database reported that the top five browsers together had 515 vulnerabilities. This is more than the vulnerabilities reported for all operating systems together and on an ascending trend since 2010, when it was reported that together they had 472 vulnerabilities.

However not all browsers have similar trends. Mozilla Firefox, Microsoft Internet Explorer and Apple Safari have less vulnerabilities compared to last year, while Google Chrome and Opera Browser have more. Below are more detailed statistics for each browser:

Google Chrome: Security vulnerabilities reported is on a highly ascending path. Google Chrome is the application with highest number of security vulnerabilities reported for the second year in a row. 275 new security vulnerabilities were discovered last year and the number is really impressive. For example, Microsoft “only” had 244 vulnerabilities reported in 2011 in all their products!

Mozilla Firefox: Vulnerabilities reported is on a descending trend after it had a peak in 2009, when it was the application with highest number of vulnerabilities discovered for the year. 97 new security vulnerabilities were discovered last year. This is slightly lower than the 103 vulnerabilities reported in 2010.

Internet Explorer: Security improvements added in latest versions contributed to the constantly descending number of discovered vulnerabilities in the browser for the past years. 45 new security vulnerabilities were discovered last year in Microsoft Internet Explorer. This is less than the 59 vulnerabilities reported in 2010.

Apple Safari: After the peak it had in 2010, the number of vulnerabilities is lower in 2011. 45 new security vulnerabilities were discovered last year. This is good improvement compared with the 122 vulnerabilities reported in 2010.

Opera Browser: The number of vulnerabilities reported in 2011 is on an ascending path, but the trend started from low levels and the number of critical vulnerabilities is still way below other browsers. 53 new security vulnerabilities were discovered last year. This is more than the 36 vulnerabilities reported in 2010.

96% of all vulnerabilities in web browsers were disclosed to public only after a fix was available from the vendor. This indicates that keeping your systems fully patched is crucial to reduce the risks of a security breach caused by a vulnerability in the web browser.

20 vulnerabilities out of the total of 515 either do not have a fix from vendor at all or it was released after the vulnerability was disclosed to public. These are what security specialists call zero-day vulnerabilities and are usually very dangerous because it is hard or impossible to protect against attacks exploiting vulnerabilities that have no fix available.

Public exploits for vulnerabilities reported in 2011 are available on the Internet for each web browser. Zero-day exploits are ones that were available on the Internet before a fix was available from vendor. Here is what I easily found out (a deeper research would have probably found out more):

While there are some differences in the number of vulnerabilities and exploits for each browser the fact is that there is no such thing as a web browser that’s completely secure and therefore, patching them is one way to lower the risk of a security breach as much as possible.

Vulnerability and exploit sources used in this research:

http://nvd.nist.gov
http://www.exploit-db.com
http://www.osvdb.org

]]> http://www.gfi.com/blog/research-web-browser-war-security-battle-in-2011/feed/ 6 http://www.gfi.com/blog/the-most-vulnerable-operating-systems-and-applications-in-2011/?utm_source=rss&utm_medium=rss&utm_campaign=the-most-vulnerable-operating-systems-and-applications-in-2011 http://www.gfi.com/blog/the-most-vulnerable-operating-systems-and-applications-in-2011/#comments Mon, 27 Feb 2012 15:00:29 +0000 Cristian Florian http://www.gfi.com/blog/?p=8221 As a sys admin, you should try to keep abreast of all the latest and most important security updates for operating systems, applications and so long. Here is an in-depth look at some of the statistics around vulnerabilities that I collated for 2011.

To begin with, National Vulnerability Database (NVD) reports 3532 vulnerabilities in 2011. This means that last year about ten new security vulnerabilities were discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7000 vulnerabilities were reported.

43% of vulnerabilities discovered in 2011 are rated as having HIGH severity level. The percentage of critical issues is considerable and remains pretty constant over the years. High severity vulnerabilities usually mean that they can be exploited remotely with high impact on the targeted machines. Luckily the majority of vulnerabilities have a fix available from the vendors by the time they are disclosed to public. It is extremely important, however, to keep your network fully patched.

Vulnerabilities were reported for 722 vendors, but top 10 vendors gather 50% of vulnerabilities:

Microsoft continues to have the highest number of critical vulnerabilities, but the total number of Microsoft vulnerabilities in 2011 is down to 244 from 318 in 2010.

An interesting trend can be observed for Google that in 2011 has the highest number of vulnerabilities reported in NVD, going up to 299 vulnerabilities from 155 in 2010. The majority of them are in Google Chrome.

85% of reported vulnerabilities are in third party applications, 12% in operating systems and 3% in hardware devices.

The number of vulnerabilities discovered in operating systems and hardware devices since 2008 has remained around the same levels (400-500 vulnerabilities in operating systems and 100-200 vulnerabilities per year in hardware devices). The situation is different for third party applications, where the number of vulnerabilities has constantly lowered since 2008: in 2011 are 3091 reported vulnerabilities as compared with 6378 in 2008. Practically in 2011 were discovered 50% less vulnerabilities in third party applications than they were discovered in 2008.

Most Targeted Operating Systems in 2011

Microsoft operating systems are by far the most targeted, followed by Cisco IOS and Apple Mac OS X.

Google Android made its entry in the top this year. It will be interesting to observe its evolution in the next year as the number of Android smart phones and tablets increases at fast rate and it is expected to generate more and more interest from security researchers and hackers. The same applies for Apple iOS, which already has a good number of vulnerabilities.

Most Targeted Applications in 2011 

The applications that have higher number of vulnerabilities reported in 2011 are – with small changes – the same as in 2010. Here are some highlights:

• Web browsers and their add-ins continue to generate the most interest.
• Along with the operating systems and web browsers it is mandatory to monitor and make sure they are always full patched: Adobe products (Flash Player, Reader, Shockwave Player, AIR), Java, Microsoft Office and other popular and largely spread applications like Apple iTunes, Apple QuickTime and RealPlayer
• Google Chrome remains, as in 2010, the application with the largest number of vulnerabilities reported in NVD. More than that, the number of vulnerabilities reported in 2011 almost doubled compared to 2010, from 152 to 275.
• Apple iTunes had an impressive increment of vulnerabilities discovered in 2011 as compared to 2010, from 8 to 78.

So, going back to HBGary – why were they apparently so easy to hack?

It is not because they have no clue about security, but rather because they underestimated the risks. When:

• you are a IT security company
• your customers are governmental institutions or huge enterprises that are very sensitive to bad press
• you start a war with hackers

… you need to drastically raise your security level.

Ok, but how high?

If they would have not been vulnerable to that SQL injection, and used only highly secure passwords and had their systems fully patched, would that have been enough? The answer is yes for most companies, but probably not for HBGary.

Why is that? Because (judging by their actions) the Anonymous seemed to have had both the desire and the resources to raise the bar to a much higher level too. Probably it would have been harder for them, but when they were able to combine social engineering with SQL injection, with password cracking and exploits of missing security updates, I don’t see any reason why they would not have been capable of subtle social engineering or detection and usage of 0-day exploits.

A lot of companies would not be able to successfully defend against such an attack, but the truth is that the risk of facing such aggressive actions is minimal for the large majority of companies.

HBGary got in trouble because they started a war with an enemy that proved to be much stronger than they thought. But what are the chances for an average company to be targeted?  A common mistake that leads to the underestimation of risks is to think that you are too small or too unimportant to get attention and become a target. Again, the key is the balance between security enforcement and the potential damage a security breach will cause.

Of course, companies like Amazon or Apple have much more valuable data than a small local shop. But they also have more powerful security systems. Breaking them is extremely difficult, requires a lot of resources and the risk of being caught is high. If the security of the local shop is almost nonexistent, then it is probably a more attractive target than these big companies are. This is because hackers will get decent earnings with low efforts and low risks. If the local shop raises their security a bit higher, it will probably reach the point where hackers decide it is not profitable for them to waste time and resources to attack it.

What are the critical points to consider when building your defense?

You are as secure are your weakest point, so it is crucial to concentrate on all aspects of security:

• Restrict physical access

• Build the security software infrastructure

• Create and enforce security policies

• Train your people on how to apply these policies and how to avoid being tricked through social engineering.

People are an important part of the equation and probably the most difficult to deal with. Even if your security policies are ok, and they are correctly applied by all employees, it is virtually impossible to know and control what happens when your employees are at home. Nobody can stop them from publishing data on social networks which could compromise your security; nobody stops people from reusing the super secure passwords they use at work on a dubious site that can be very easy to hack.

To maximize correct usage and acceptance of security policies people need to clearly understand why the policies are necessary and policies need to be designed to interfere minimally with the normal working flow. Keeping the balance between security and usability is very important. Unnatural, hard to apply security policies are among the worst things that can happen to a company from a security point of view. This is because they are giving a false sense of security, while in reality people will find ways to bypass them.

Companies want their employees to use secure passwords, but very few of them are teaching people techniques to generate secure passwords that are easy to remember. So they may end up having an environment vulnerable to social engineering simply because administrators are used to and will not react when they are asked for dubious password resets.

Other risks that are hard to foresee and control are the vulnerabilities from the applications used in the business environment. The most secure approach around this is to isolate the computers from the rest of the world by restricting online access; however, this is not always possible. To mitigate the risks you need to be selective on what applications are allowed in the business environment and make sure they are fully patched.

In short, what happened is the following: the CEO of HBGary Federal wanted to increase publicity around his company by exposing the real identities of the leaders of a well known group of hackers called Anonymous. For this he infiltrated into their IRC chat rooms and researched profiles from social networks like Facebook, LinkedIn or Twitter. When he thought that he found what he was looking for, he started to make noise about his achievement by publishing articles on newspapers, setting meetings with FBI and revealing his true identity to the Anonymous. This made the group of hackers very angry and their response was devastating for HBGary, which had its servers broken, email messages published on the Internet and websites hacked. Additionally, the results of the research that generated all this trouble were revealed as not reliable.

The next, equally bad or even more disastrous, hit for HBGary were the details from the story presented by Ars Technica. Anonymous revealed how they managed to bypass their security. And what is shocking is how easy it seems to be to penetrate the security of the company that is, after all, an expert in security.

The story raises a lot of questions:

• Why was their security so weak? Aren’t security companies supposed to know how to defend against these types of attacks?
• Would have better security really saved them? Or would the attackers have adapted and used more ingenious ways to get in?
• How likely is this to happen to a small or medium-sized company? While you can imagine it happening to big players like Microsoft or Google, can it happen to small companies that did not upset the “wrong guys”?
• How prepared are companies for targeted attacks?  How many of them would remain standing after such an assault?

An important thing to mention is that the standard suite of security software (firewall, antivirus, antispyware, anti-spam, anti-phishing, patch management, etc.) does a decent job to stop 99% of the attacks: non targeted ones – the pieces of malware that are randomly scanning the Internet for vulnerable machines and infecting them, the emails with malicious attachments or those pointing to dangerous sites, the sites that simulate well known services to trick you and get your passwords, etc. They are indispensable for targeted attacks too, but here things are much more complex and they are far from being enough.

What can be done to ensure well enough security? (Well enough is the maximum you can get, there is no such thing as a perfect security system.)

It is extremely important to keep the security system defenses aligned with the potential damages that a security breach will cause.

For a small startup that is still in its early stages with just a few computers it usually makes no sense to invest massively in security. This is not only because the costs will kill the business faster than any hacker, but also because the company simply doesn’t have enough valuable assets to make the effort worthwhile. However as the company starts to have a history, they also start to have more and more sensitive data: financial data, customers’ and partners’ data, development strategies, etc. Now it becomes more dangerous to lose data or to have confidential data stolen.

The key is to keep the balance between security enforcement and the risks that usually increase over time, and this is the point where a lot of companies fail. Some common reasons for this are:

• The company is not aware of the risks simply because they don’t have the necessary expertise to evaluate them.

• The risks are underestimated. In this case the security enforcement is seen as an unnecessary cost.

• The company is aware of the risks and their efforts in the area give them a false sense of security, while they actually have a problem in applying policies.

Usually a security incident is what makes these companies realize where they really stand.

In the second part of this series I’ll talk about what happened to HBGary and what we should learn from it.

This is the list of the top most targeted applications in 2010:

As more and more businesses and applications are moving to the web, browsers are the favorite targets for hackers and security researchers. These are followed closely by Adobe tools, Microsoft Office, RealPlayer and Java Runtime Environment.

The top most targeted operating systems in 2010 are the following:

Microsoft still remains the preferred target when talking about operating systems, followed very far behind by Linux, Apple Mac OS X and Cisco IOS.

From the data above we can see that 75% of vulnerabilities are targeting applications, 18% operating systems and 7% hardware devices (i.e. Cisco). This means that patching only Microsoft products is not enough. Adobe products, web browsers and Java Runtime Environment are the minimum set of other applications that must be monitored closely to ensure they are always fully patched for adequate security.

So far this month we already have the following important updates:

• Google Chrome version 8.0.552.215 was released on 2^nd December with 13 security fixes, 4 of them high severity level
• Apple QuickTime version 7.6.9 is available from 7^th December. It contains 15 security fixes, 14 of them labeled as critical.
• Mozilla has released yesterday Thunderbird versions 3.0.11/3.1.7 addressing 3 critical security issues and Firefox 3.5.16/3.6.13 with 11 security fixes, out of which 10 are critical or high severity level.

Oracle has released Java 6 update 23, but this is a non security update.

This week we had the biggest Microsoft patch Tuesday ever. 17 new security bulleting were released, 16 of them labeled as critical or important. This is an all time record from Microsoft. The following Microsoft products are affected:

• Microsoft Windows
• Internet Explorer
• Microsoft Office
• Microsoft SharePoint
• Microsoft Exchange

More details are available here.

You need a patch management solution for proper patch management. But what are the benefits of automating patch management for these companies?

1. Security

Security is the most obvious reason as to why companies would want to have an automated patch management solution in place. One of the main reasons why software vendors release new patches is to fix security vulnerabilities that can be exploited by malicious software or people intending to damage the IT systems or network.

Applying security patches in a timely fashion highly reduces the risk of having a security breach and all the related problems that come with it, like data theft, data loss, reputations issues or even legal penalties.

2. Company Productivity

An efficient system which deploys patches network wide helps to improve the productivity of the company in many ways. Often patches come with performance improvements for the products they apply to, or fix crashes. Helping employees get rid of these issues will lead to a productivity boost. The improved security also helps productivity. In the majority of cases the worst effect of malware is not the stealing of company sensitive data, but rather the downtime that badly affects productivity. The effect varies from congested networks or slowed down systems because of malware activity, to breakdowns of business critical applications and to systems which are totally compromised and need to be reinstalled from scratch.

3. IT Department Productivity

Productivity gain is easily measured within the IT department. You just need to ascertain how many people and working hours are required to patch the systems manually, and how much you save by using software that automates the process. In fact, for companies that have more than 20-25 computers in their network, the headaches and time required to perform manual patching are so high that, if the company does not have a solution to automate patch management, they probably do not do it at all or it is limited to critical servers only.

4. Compliancy

Recently compliancy has become an important driver for companies to implement a patch management solution. There are more and more laws and regulations that are imposing security best practices on companies and having the systems fully patched is one of the most important security rules.

Government institutions, companies offering financial services and healthcare organizations are among the most affected by these regulations, but the trend is that all companies will need to be secure enough to be able to protect the privacy and data of their employees, customer and partners.

Here is a list with some of the most important standards related to IT infrastructure security: Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley Act (SOX), Gramm–Leach–Bliley Act (GLB/GLBA), Federal Information Security Management Act (FISMA), Family Educational Rights and Privacy Act (FERPA), Government Connect Secure Extranet – Code of Connection (GCSx CoCo).

Failure to comply can result in losing opportunities, incurring legal and financial penalties or even losing your business.

5. Keep Up with New Features

Patches can contain new features, adding new functionality or extending support for additional platforms. For organizations this often translates into opportunities to improve or extend their services.

Which were the most vulnerable applications in the first half of 2010?

Below are the results after processing vulnerability data feeds as of July 7, 2010 from National Vulnerability Database (NVD), which is the U.S. government repository of standards based vulnerability management data:

Interesting highlights and remarks:

• Web browsers are the most targeted applications. They hold the top four places. Other popular targets for hackers are Adobe products, Java Runtime Environment and Microsoft Office.
• Discussions about which browser is most secure do not make much sense. They all have quite a number of new security vulnerabilities. Probably a safe web browser is one which is used by only a few people and therefore is not popular enough to get attention from hackers. However, on such a browser a lot of sites will not work simply because most developers only test their site on the top most used browsers.
• Adobe, Microsoft and Mozilla have the most products in the top 15:
  o Adobe – 5 products
  o Microsoft – 3 products
  o Mozilla – 3 products
  o Oracle – 2 products
  o Apple – 1 product
  o Google – 1 product

According to NVD new security vulnerabilities are published with a rate of 16 per day. Vendors are forced to release a lot of security updates to keep their products secure; therefore a vulnerability management tool like GFI LANguard can be very helpful. Currently LANguard can automate patching for 11 products out of the 15 mentioned above. Here is the full list of supported non-Microsoft products.