Procurement is a way to cut out IT security flaws, the annual SANS top 20 vulnerabilities launch heard in London.   The event made the front page of the Financial Times on the day of the launch at the Department for Trade and Industry, this shows that business takes IT security seriously.  In the FT, SANS director of research Alan Paller warned that it is easy for hackers to steal information from back-up systems. "Rarely does back-up software have encryption.  Whereas Microsoft Windows (and Unix) regularly offer ‘patches' (fixes) for its software where there are security loopholes, there is no such fixing for back-up software.  It could take the software companies years to respond, just as it took Microsoft years to respond to vulnerabilities in its products,"  Alan Paller feared. 

Change the world

"At the conference, Mr Paller said a ‘shocking' number of people still run computer back-up systems the same (unpatched) way as they bought them."  Rather than blame the vendors of software, he suggested using procurement as a security strategy, whereby everyone gained.  He said: "If you change the world, you change it with procurement, not with regulation."  By that, he meant buyers of IT security should use their spending power, as the US Air Force has.  Buyers can insist that the IT software sellers sign contracts whereby, if there have to be patches later, or if the software is not free of SANS top 20 vulnerabilities, it is the responsibility of the software vendor to put it right.  Improvements are immediate, according to Alan Paller "the software vendors find it costs no more to have safer products than as currently when software breaks down and patches have to be added." 

Information assurance

The US-based SANS Institute is a collector of IT security information. The SANS top 20 came from IT people from around the world, including in the UK, Rhodri Davies of internet security firm Vistorm, the National Infrastructure Security Coordination Centre, and information security consultants AFENTIS.  Other speakers at the event included Roger Cumming, Director of the NISCC, and Dr Steve Marsh, Director CSIA (Central Sponsor for Information Assurance), at the Cabinet Office.  The CSIA promotes safe IT and has run regional information assurance roadshows for pubic sector IT security managers and purchasers. 

Some words of SANS advice

  • Backup media should be stored, tracked and accounted like other IT assets to deter and detect theft or loss; and it should be securely erased, or physically destroyed at the end of its useful life.
  • Anti-virus software is now installed on almost all desktops, servers and gateways on various platforms to combat virus outbreaks.  During the past year, there has been a shift in focus to exploit security products used by a large number of end users.  This includes anti-virus and personal firewall software.  The discovery of vulnerabilities in anti-virus software is not limited to just desktop and server platforms.  Ensure that all of your anti-virus software is regularly and automatically updated.
  • Databases are a key element of many systems storing, searching or manipulating large amounts of data.  They are found in virtually all businesses, financial, banking, customer relationship and system monitoring applications.  Due to the valuable information they store such as personal or financial details, databases are often a target of attack.  Because databases are often distributed as components of other applications, it is possible for a database to have been installed without administrators realising it.
  • Instant Messaging (IM) applications are being used by millions of users, for personal and business purposes; popular IM applications include Yahoo! and AOL.  IM applications are available for virtually all platforms including the handheld devices.  Set out corporate policy on ‘appropriate' IM usage in your company.
  •  Don't use default passwords on any accounts; and don't use weak passwords or passwords based on dictionary words.  Audit your machines to ensure your password policy is being adhered to.
Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

Which security technology is most misunderstood, and why?
Which security technology is most misunderstood, and why?

The general public gets much of its understanding of security industry technology from watching movies and TV. However, there is a gap between reality and the fantasy world. Understanding of security technologies may also be shaped by news coverage, including expression of extreme or even exaggerated concerns about privacy. The first step in addressing any challenge is greater awareness, so we asked this week’s Expert Panel Roundtable: Which security industry technology is most misunderstood by the general public and why?

Lessons Learned with Vanderbilt: How have you adapted to the COVID-19 pandemic?
Lessons Learned with Vanderbilt: How have you adapted to the COVID-19 pandemic?

With the postponement of tradeshows and events due to the effects of COVID-19, Vanderbilt and ComNet have taken their high quality, innovative solutions online, directly to their customer base. Through an Online Events and Training resource, you can stay connected with the brands’ top resources and products, as well as join upcoming product webinars hosted by their in-house experts. With a majority of the world currently working from home, businesses must respond to this changing landscape. As such, Vanderbilt and ComNet have turned to online resources to share new product demonstrations and other company news. One cornerstone of the ACRE brands approach was the launch of their Online Events and Training resource page. Ross Wilks, Head of Marketing Communications at Vanderbilt, credits this online resource as the anchor to their communicative success with customers at present. “Through weekly webinars delivered by our in-house experts, Vanderbilt and ComNet have embraced more virtual opportunities to continuously communicate to our customers regarding our latest and most relevant products,” he says. “To date, our webinars have covered a wide range of industry topics such as Why Physical Security and Cloud go together, and The most recent developments in card cloning and reader hacking. Attendance to these online events has proved popular and effective in keeping communication with our customer base open and engaging.” Each webinar ends with a Q&A section, as well as follow-up articles on the most asked questions, plus recordings of the webinars being made available to attendees. As such, the webinar approach has proven a receptive approach for Vanderbilt and ComNet. The Online Events and Training resource acts as a one-stop-shop for all virtual information. Overall, the page outlines the brands’ value-added resources for customers, including the ability to request a remote product demonstration, the availability of free online training, 24/7 access to the Vanderbilt webshop, plus the aforementioned weekly webinars. Vanderbilt and ComNet’s business mantra is built on a foundation of customer-focused core values such as empowerment, collaboration, and high performance and Wilks credits this mentality with their ability to keep information flowing to their base during the present pandemic. “The ACRE brands moved early to kick-start online webinars and ramp up awareness of their already existing online training and shopping options. Now more than ever, it is important to keep customers up to date on the latest offerings,” Wilks explains. “Our commitment has always been to make their customer’s security journey the best possible experience, and that is what this Online Events and Learning page primarily focuses on,” he concludes.

What’s new with video management systems (VMS)?
What’s new with video management systems (VMS)?

Video management systems (VMS) have been around almost since the advent of IP cameras. During those years, VMSs have evolved from software that provides basic functionality to more user-friendly systems offering a growing list of capabilities, many of them related to analysing data as well as recording and displaying video. But the evolution is far from over. We asked this week’s Expert Panel Roundtable: What’s new with video management systems (VMS), and what are the new opportunities?