In May, Channel Insider launched “Secure Channel” – the security technology and market trends blog written specifically for solution providers. I have personally shepherded this blog over the last eight months, during which time numerous security issues have come to fore. The following is a collection of my 10 favorite security blogs of 2009. These blogs represent some of the most pressing security issues facing businesses and potential opportunities for solution providers.
10. Morro Could Mark the Sunset of Antivirus
Microsoft Morro is perhaps the end of antivirus as we know it. It’s not because Morro is a free service, but rather cloud computing should shift the burden of malware protection on the service providers.
Microsoft is officially an antivirus company with its Microsoft Security Essentials suite. But, as solution providers pointed out, Microsoft’s impact may be too late as other security vendors are making their push into services and higher level protection technologies.
9. My 12 Favorite Security Mergers
McAfee buying MX Logic and IBM’s purchase of Ounce Labs are interesting deals, but they’re hardly earth shattering. Over the last decade, several security mergers and acquisitions have transformed the marketplace, advanced the state of the art and enshrined technologies as essential parts of the security toolkit. The following deals are my dozen favorite security mergers and acquisitions (in no particular order).
Turns out this list was hardly complete. There’s been talk for much of the last decade about how the security industry would consolidate. Many solution providers added their favorite mergers to the list. But the real consensus to come out of this was that consolidation is a myth.
8. Adobe: The New Black Hole of App Vulnerabilities
Hackers are exploiting a vulnerability in Flash that has left PDFs open to compromise and users exposed to drive-by attacks. Adobe says it will take another week to produce a patch. It’s the latest in a growing string of vulnerabilities to hit Adobe apps. Is Adobe becoming the new black hole of app vulnerabilities?
Oh, we love to beat up Microsoft for the vulnerability of its software. But, truth be told, Adobe is registering more security flaws and vulnerabilities. As Adobe software continues to make up the backbone of the media-rich Web applications, we can likely expect to see more hacks go through Adobe than Microsoft.
7. 80% of Security Products Fail to Meet Expectations
ICSA Labs says that four out of five security products it tests fail to deliver the basic functionality of their design, and that 40 percent are inherently insecure. The report says more is needed in security product quality control, but will vendors hear the message before end users are filled with doubt?
What made this study interesting is that the testing that the security products are failing in are standards created and maintained by the vendors themselves. One of the most overlooked weak links in the security chain is the security integrity of the security products themselves.
6. Ballmer Blames Security for Vista’s Failure
On the eve of the launch of Windows 7, Microsoft’s chief says that security improvements and barriers made Vista less compatible with third-party applications, and that’s what doomed it to failure.
“Wow,” was all I could think when I read Microsoft CEO Steve Ballmer’s assertions that the stronger security measures imbedded in Windows Vista was the root cause of the operating systems failure to win the hearts and minds of PC users. He’s right that security is inversely proportional to usability, and users hate being obstructed. However, perhaps it was the lack of applications that made businesses hold off the upgrade?
5. Survey Shows Ignorance Works in Security VARs’ Favor
As many as four in 10 security managers misrepresent their organization’s security posture or underreport the severity of security incidents. The main reason: ignorance and fear. A Channel Insider/CompTIA survey finds that ignorance is a great catalyst for new security business.
This study produced by Channel Insider and CompTIA was quite revealing. It showed that the reason security managers either lie about or misrepresent their security status is basically ignorance. But, as we found, that can open new opportunities for solution providers who are perceived as “experts.”
4. Global Warming Email Hack Reveals Value of Routine Correspondence
Hackers breached a university email system and uncovered a treasure trove of scientific correspondence that raises doubts about the global warming trend. The incidence is a classic example of how even routine data has value and leaks harm businesses.
This issue generated a lot of discussion as environmental groups, the anti-global warming lobby, governments and security experts weighed in with opinions of the significance of the unearthed emails. From my perspective, this breach demonstrated in vivid color the reputational dangers that can befall an organization (or in this case, a movement) when even routine, out-of-context information is disclosed. It’s a good justification for implementing moderate security measures.
3. Congressional Ethics Leak Demonstrates DLP Shortcomings
A security breach revealed the names of seven congressional lawmakers who are under suspicion of ethics violations. While security vendors are pushing DLP products as an absolute essential to stopping insider threats, the technology would have been powerless in this incident.
This was one of the most interesting blog conversations of the year. My assertion that the Congressional ethics probe breach couldn’t have been prevented by data loss prevention technologies sparked a lively debate with the founder of Vontu, Kevin Rowney. The comments made during this debate reveal the true capabilities and limitations of DLP, as well as the opportunity for security solution providers. This debate led to the follow up blog, “DLP Shortcomings Equals Security Services Opportunities.”
http://blogs.channelinsider.com/secure_channel/content/dlp_data_loss_prevention/dlp_shortcomings_equals_security_services_opportunities.html
2. Don’t Worry About Security Reputation
Solution providers say a fair number of their customers underreport or fudge their security reports to protect corporate reputations. They do this despite overwhelming evidence that security breaches have little to no lasting impact on corporate reputations.
This blog generated the most discussion of the year. One of the basic tenants of security is that failure will damage a corporate reputation, which will cause customers and partners to flee to safer havens. The truth—based on real world experience with companies—is that reputations are not at risk at risk. But should companies still be concerned? That’s what the debate was about.
1. Poor Password Management Eclipses Virus Problem
More than 1.5 million malware samples were detected in the first half of 2009. That’s 300,000 more than were detected in 2008 and more than the entire previous decade. But the most common problem found by solution providers during security assessments is poor password management.
This blog generated a lot of buzz. Viruses are manageable, and defenses are often automated. Password management, a problem we’ve known about for the better part of a decade, is still plaguing businesses large and small. Solution providers said they need better tools.