FEATURE

Computer Fraud & Security March 2013

10
While the scale of cybercrime is
increasingly being recognised by business
and governments, what to do about it is
not quite so clear cut. Everyone who uses
the Internet now estimated at 31% of
the Earths population is a potential
victim of cybercrime. In 2011, the UK
Government estimated that cybercrime
costs the countrys economy 27bn a year
21bn of costs to businesses, 2.2bn
to government and 3.1bn to citizens
and these costs could actually be much
higher.
1
In 2012, The World Economic
Forum claimed that cybercrime is one of
the biggest risks to global financial and
political stability.
While the UK government investment
of 650m over four years, starting in
2011, in the National Cyber Security
Programme to bolster the UKs
cyber defences is a welcome step,
organisations need to do as much as
they can themselves to ensure they are
as protected as possible.
2
An analysis
of data from 2006 to 2011 shows that
the software industry is still unable to
reduce the number of vulnerabilities in
software.
3
None of the top 20 software
vendors managed to reduce the number
of vulnerabilities in their products over
this period. Identifying and remediating
vulnerabilities in deployed products
therefore remains a critical task for
organisations and private users in order
to manage the risks of security breaches
and system compromise.
Software vulnerability
There are, of course, many solutions that
companies turn to in order to help secure
their digital assets. But something that
many organisations overlook is how to get
and keep control of the fundamental
root cause of security problems, and that
is the underlying vulnerability of the
software. Organisations are often unaware
of a breach until they are advised by law
enforcement that corporate or customer
data has been stolen. That is not a good way
to find out. The old truism that knowledge
is power applies very much here reliable
vulnerability intelligence, coupled with the
technical skills to know how to circumvent
a potential problem, is vital.
With the plethora of software
programs used in organisations
today, cyber-criminals are
having a field day
Many business managers still believe
that software vendors take all possible
steps to make their software secure. And
while most do a great deal of testing,
many products on release and even
into maturity still contain flaws that
allow cyber-criminals to gain access to the
entire infrastructure of any organisation.
And, contrary to widespread belief,
it is not mainly Microsoft programs
that are to be blamed for these flaws.
With the plethora of software programs
used in organisations today, including
company phones or laptops used both
professionally and privately by employees,
cyber-criminals are having a field day.
The trend to Bring Your Own Device
(BYOD) into the workplace is on the
increase. Cisco recently published a
study of 600 US IT and business leaders
that found that as many as 95% of the
organisations now allow employee-owned
devices in the workplace in some shape or
form. According to the study, by 2014,
the average number of connected devices
per knowledge worker will reach 3.3, up
from an average of 2.8 in 2012.
4
While full marks can be given to
employers for being so flexible, this
trend to merging the private and
workplace worlds brings with it some
serious security concerns. Secunias
publicly available software analysis
regarding the security of PCs is derived
from the 6.1 million private users
worldwide using the Secunia Personal
Software Inspector (PSI), and includes
data on the share of vulnerable software
found on private PCs. The PSI data
from 2011 tells us that three of the
most popular programs on private PCs
in the UK remain unpatched on one-
third of the PCs even though they are
vulnerable, and even though patches are
available. For example:
There are 58 vulnerabilities in Sun
Java 6 63% of PC users in the UK
have it installed on their PCs, and
57% of those havent patched it.
There are 26 vulnerabilities in Apple
QuickTime 7 56% of PC users in
the UK have it installed on their PCs,
and 49% of those havent patched it.
Holding back the tidal
wave of cybercrime
Maria Eriksen-Jensen
Maria Eriksen-]ensen, Secunia
Whatever their joh title, those responsihle for IT security in an organisation
all have one thing in common the complexity of their task is increasing as
security threats hecome ever more aggressive. Within this context, today's IT
security professional is expected to solve problems and manage risk, often with
a tight hudget. And all are aware of the potential damage that an IT security
hreach can have not just on the running of their company hut on its image,
reputation and therefore its revenue.
FEATURE
March 2013 Computer Fraud & Security
11
It is easy to see that the combination
of private users who do not update their
software and who are bringing their
own device to work is a dangerous mix.
And as the Cisco study says, it is not
just the physical device that employees
are bringing to work but also their
own applications including social
networks, cloud-based email and instant
messaging. And so the digital behaviour
employees adopt in private, with the IT
security risks it involves, is now mingling
with the corporate IT infrastructure.
This is just one more headache for the
IT team. Because so many users dont
update the software on their own PCs, it
is very difficult for the IT department to
know what to patch.
Identifying the
vulnerable
To protect endpoints that are connected
to the corporate IT infrastructure from
vulnerabilities, it is essential to identify
the vulnerable software, prioritise it
and patch it. A patch remediates the
root cause of the problem, and thereby
eliminates a large number of attacks.
This is done by applying the patches
issued as security updates by software
vendors, and while most corporations
with IT teams on board can be expected
to have a patch strategy (of varying
degrees of efficiency, of course) patch
management routines and resources are
not something we should expect from
end users or smaller businesses.
Most private individuals and even
small businesses believe it is too time-
consuming and too complex to update
their software and do not make it a
priority. Many believe that, once they
have updated their Microsoft programs
when prompted by the company, they
have done all that they need to. The
problem is that, on average, a private PC
in the UK has 72 programs on it only
27 of those are from Microsoft, and
45 are from third-party vendors. But
third-party software is where 78% of all
vulnerabilities are found.
While Microsoft issues automatic
updates to its programs, we know from
Secunias data that this only covers 34%
of the programs installed on the average
UK PC the third-party vendors
accounting for 66% of the programs
have their own update mechanisms. This
means that, unless they are employing a
tool that does it automatically for them,
the average UK user has to master 23
different update mechanisms to patch
the software on their PC and not
only master the update mechanism,
but actually perform the updates on an
on-going basis, to keep their PCs secure
from vulnerabilities.
Vulnerable software on
endpoints is one of the most
popular attack vectors with
hackers an attack vector
that is likely to become more
and more common
The lack of endpoint security is
among the biggest corporate security
threats. And vulnerable software on these
endpoints is one of the most popular
attack vectors with hackers an attack
vector that is likely to become more and
more common.
Essentially, business and private
endpoints are very rewarding targets
for cyber-criminals. This is because,
being extremely dynamic environments
with numerous programs and plug-ins
installed, they are very difficult to secure.
Together with unpredictable usage
patterns, this makes them formidable
targets that are difficult to defend.
Endpoints are where the most valuable
data is found to be the least protected.
And by definition, endpoints have
access to all data needed to conduct an
organisations business. Every endpoint
represents a valuable target for cyber-
criminals, even if no sensitive data is
present. The endpoints computing
power and bandwidth provide valuable
resources for example, as an infection
point, proxy or for distributed password-
cracking services.
Cyber-criminals often use off-the-
shelf malware construction kits that do
not even require any coding expertise
in their efforts to sabotage computer
programs. These criminals have refined
the malware manufacturing and
development process to systematically
bypass them. Security patches, if used
correctly, can be a very effective way
to overcome the many limitations
of traditional defence mechanisms.
Intelligent patching can lower risk
levels by up to 80% and maximise
operational efficiency. However, timely
patching of the software portfolio of any
organisation is difficult, because it is like
chasing a continually moving target.
The strategic approach
The answer lies in a strategic approach.
The implementation of a patching strategy
Figure 1: Annual costs to business of customer data loss through cybercrime. Source:
Detica/Cabinet Office.
FEATURE
Computer Fraud & Security March 2013
12
has to be integrated with an organisations
software management and operating system
release strategy. To achieve the desired level
of security, an organisation must establish
processes for the regular monitoring and
correction of issues, ensuring that the risk
is minimised and that it is compliant with
specific regulations.
A recent white paper from Secunia
tracked a representative endpoint
comprising the operating system
(Windows XP) and a software portfolio
with the industrys top 50 most prevalent
programs.
5
The portfolio on this
representative endpoint had programs
from 14 different vendors installed: 26
programs from Microsoft and 24 programs
from third parties (non-Microsoft). To
measure the number of vulnerabilities per
host, data gathered from over 6 million
users of Secunias free scanner, which
identifies and patches insecure programs
on endpoints, was used, which uncovered
that vulnerabilities in third-party programs
by far outnumber vulnerabilities in the
operating system or Microsoft programs.
The sheer complexity of patching will
undoubtedly leave a large number of
systems incompletely patched and thus
vulnerable. This complexity in keeping an
endpoint fully patched has a measurable
effect on security. Creators of malicious
software and botnet agents are using a
broad spectrum of tools and techniques
that can easily bypass traditional anti-virus
technologies. As discussed above, the
common perception that the operating
system and Microsoft products are the
primary attack vector and that traditional
defence methods provide sufficient security
against vulnerabilities is incorrect.
Knowing what to patch
is crucial in light of
limited security resources
intelligent patch
prioritisation pays off
considerably
Timely patching should be considered as
a primary security measure. However, a one
approach fits all strategy no longer works,
and the ever-evolving threat landscape is
causing the goal posts to continually move.
The main dilemma is identifying the critical
programs worth patching to achieve the
largest reduction in risk.
Bad investment
From a security perspective, it is a bad
investment to only deploy a patch for a
program with vulnerabilities that are not
critical or less critical, while programs
with highly critical vulnerabilities remain
unpatched. It is not just the most popular
and widely used programs the usual
suspects that should be monitored
with caution. Todays attacks typically
use a large number of different exploits
to open up attacks against a wide range
of vulnerable programs thus less-
prevalent programs are not ruled out
by cyber-criminals and can also lead to
compromise.
The challenge is to identify which
vulnerability to patch at which time.
Knowing what to patch is crucial, given
that security resources are limited
intelligent patch prioritisation pays off
considerably. If risk requirements demand
that at least 80% of the risk of unpatched
programs has to be remediated, this can
be achieved by either patching the top 12
most critical programs or by patching the
top 37 most prevalent programs per year.
It is not the amount invested in
IT security that is of importance for
achieving optimal risk reduction with the
same or fewer resources rather, it is the
type of technology and its capabilities
that matter.
According to Secunias most recent
Yearly Report into IT breaches, the share
of third-party vulnerabilities on a typical
endpoint increased from 45% in 2006 to
78% in 2011 by far outnumbering the
12% of vulnerabilities found in operating
systems or the 10% of vulnerabilities
discovered in Microsoft programs. The
report shows that the number of endpoint
vulnerabilities increased once again in
2011 to over 800 vulnerabilities a
tripling within only a few years more
than half of which were rated by Secunia
as either highly or extremely critical.
Many businesses are not doing enough
to help themselves. By not addressing
errors in software installed on typical
endpoints, organisations and individuals
are in effect leaving their back doors wide
open for cyber-criminals to enter and
compromise their most sensitive data. One
problem often lies with the companys
Figure 2: Vulnerabilities (CVEs) for the top 20 vendors in 2011, and average for 2006-2010. Source:
Secunia Yearly Report 2011.
FEATURE
March 2013 Computer Fraud & Security
13
security strategy. The programs that an
organisation perceives as top priorities to
patch as opposed to the programs that
cyber-criminals target are often vastly
different. A typical corporate infrastructure
contains layers of programs that
organisations consider business-critical.
Many organisations will focus on patching
the top layer business-critical programs
only. Cyber-criminals, however, will target
all programs and only need one vulnerable
program to compromise the host.
The Secunia Yearly Report revealed
that, for an organisation with over
600 programs installed in its network,
more than 50% of the programs that
are vulnerable in one year will not
be vulnerable the next year, and vice
versa. Therefore identifying all installed
programs and implementing an agile,
dynamic patching strategy according to
criticality in the remediation phase, as
opposed to a short-sighted approach of
only patching a static set of preferred
programs, clearly wins in terms of
achieving optimal risk reduction
with limited resources. Some 72% of
vulnerabilities had patches available
on the day of disclosure; therefore the
power to patch endpoints is in the hands
of all end users and organisations.
Resilient vulnerabilities
Vulnerabilities are resilient. Despite the
number of vulnerabilities decreasing
in 2011 in general, the five-year trend
identified that none of the top 20
producers of software (commercial or open
source) managed to decrease the number
of vulnerabilities in their products.
Complexity is the worst enemy of
security. The software portfolio installed on
an average endpoint comprises programs
from 24 different vendors (26 Microsoft
programs and 47 third-party programs).
It therefore involves 24 different update
mechanisms to keep a typical endpoint
secure (one Microsoft update and 23
additional update mechanisms). The
complexity involved in staying secure has a
measurable effect on security levels.
Rare programs are also risky. Its not
just the usual suspects that are at risk
uncommon programs can also be exposed
to cyber-criminal attack. Analysing the
market share against exploit availability
demonstrates that all programs are at risk.
An example of a recent vulnerability that
hit the headlines was a zero-day flaw in
Internet Explorer where Microsoft offered
free security software on its website (the
Enhanced Mitigation Experience Toolkit,
EMET) while it figured out how to fix
the flaw affecting IE versions 7, 8 and
9 and which could be exploited on XP,
Vista and Windows 7.
While relatively uncommon, zero-day
vulnerabilities can cause havoc. In this case,
although hackers had already targeted the
flaw to take remote control of computers
before it became public knowledge,
companies that received information about
the vulnerability early were able to disable
IE and then direct users to use a different
browser until a patch was available. As
zero-day vulnerabilities are those that have
not yet been discovered by anyone but
the hacker, and therefore do not yet have
a patch from the vendor, vulnerability
intelligence is essential to ensure that
appropriate steps are taken to avoid the
pitfalls.
Reduced privileges
One way in which organisations try
to limit the danger posed by cyber-
criminals is by reducing privileges for
user accounts as a key security best
practice to prevent misuse and successful
exploitation of endpoint systems. The
reasoning behind this is twofold. First,
malware requires administrative access
to successfully exploit and compromise
a system. Second, users without
administrative access are prevented from
bypassing the organisations security
policy as they cannot install and run
unauthorised programs on their own.
This strategy, on its own, however,
is flawed. Unfortunately, user accounts
with reduced privileges do not provide
complete protection from attack,
misuse or compromise. While reducing
privileges for end users can be regarded
Figure 3: How IT departments are responding to the Bring Your Own Device (BYOD) trend. Source:
Cisco IBSG Horizons Study.
FEATURE
Computer Fraud & Security March 2013
14
as part of an effective security strategy, it
cannot be solely relied on. Organisations
need to be aware of the limitations of
this approach in order to prevent them
from getting a false sense of security
that could lead to under-investing in
complementary security layers.
Whatever the organisation, its
personnel work on their endpoints to
carry out daily tasks. Irrespective of the
privileges permitted on their systems,
they need and have access to all business-
relevant data and internal networks
required in order to get their work
done. Even when working with reduced
privileges, any program or process
running with the same set of privileges
also has full access to all this data. This
means that information valuable to cyber-
criminals is present regardless of users
privileges and justifies the cyber-criminals
interest and investment in finding ways to
compromise end users systems.
The number and complexity of pre-
installed programs and plug-ins found on
typical endpoints alone provide plenty of
opportunities for attack and compromise.
Running as a non-admin user mainly
helps to limit what a user can install and
configure on the system, but does not
prevent an attacker from gaining control
of the users account. A single exploitable
vulnerability in one of the many installed
programs (or plug-ins) is all cyber-
criminals need to run their malware in the
context of the local user. Furthermore, as
the user has access to the internal network,
the malware can use the users account to
relay attacks against other systems.
The fact that many programs do
not need to be installed or require
administrative privileges to be run on an
endpoint is often overlooked. For example,
there is a growing list of so-called portable
applications programs that do not
require installation. This represents an
enormous opportunity for cyber-criminals
and also helps explain why up to 9% of
the endpoints in large enterprises were
found to be bot infected, despite the
implementation of best-of-breed security
policies and perimeter protection.
6
Many
of the vulnerabilities are of the privilege
escalation type that allows the attacker to
gain elevated privileges, thereby nullifying
the protection sought in restrictive user
permissions. Exploiting this type of
vulnerability allows an attacker to escape
the stringent permissions of the user and
execute its code with administrator or
system privileges. In addition, there are
many ways in which users can bypass
restrictive user rights to run and install
programs on their own. There is a rich
body of step-by-step instructions on
the Internet that shows users how to
bypass user restrictions to run their own
programs.
Exploitation strategies
Over recent years, and in the face of more
restricted environments, cyber-criminals
have developed successful technologies
and strategies to make exploitation and
system compromise independent of
administrative access on endpoints. An
increasing number of recent exploits
and malware do not require modifying a
system file or the registry just running
in memory is sufficient to access and
steal sensitive information or infect other
internal systems. For example, hijacking
browser traffic or communicating with
an external host for data exfiltration
does not require administrative access.
Malware does not even need to be
persistent and survive a reboot. A couple
of minutes on the endpoint are enough
for malware to identify and steal most
of the sensitive data, and for it to spread
further. Additionally, todays endpoints
are typically left powered on for extended
periods of time between reboots, thereby
decreasing the need of the malware to
take extensive action and privileges to stay
persistent.
While limiting users privileges on
endpoints is a recommended and
effective means to reduce the risk of host
exploitation and limits the capabilities of
malware upon successful compromise,
it should not be seen as a replacement
for vulnerability management and
expedited patching of software, nor is
it a replacement for anti-virus or other
protection technologies.
A thorough process to identify
vulnerable programs, including programs
not authorised by the organisation,
paired with effective patch management
is an absolute must to reduce the
window of exposure and eliminate the
root cause of potential compromise.
A breakdown of vulnerabilities by
origin reveals the driver behind this trend.
Because vulnerabilities in third-party
programs by far outnumber vulnerabilities
in the operating system or vulnerabilities
in Microsoft programs, timely patching of
all Microsoft programs and the operating
system does not disrupt cyber-criminals
opportunities at all. There remain plenty
of opportunities for system compromise
in third-party program vulnerabilities.
Furthermore, cyber-criminals do not
need precious zero-day exploits at all
at any given time there will always be
a large number of systems present with
numerous unpatched programs.
Creators of malicious
software and botnet agents
have developed and used a
broad spectrum of tools and
techniques to create one of
a kind packages
Traditionally, organisations perceive
the operating system and Microsoft
products to be the primary attack vector,
thereby largely ignoring third-party
programs in their risk matrixes. Thus, the
prioritisation of patching most Microsoft
products and perhaps a few third-party
products is often an established strategy.
This strategy may have proved effective
in the past to achieve the desired level
of risk. However, data shows that the
dynamics of the threat environment over
the last five years result in an increasing
gap of unmitigated risk if the patching
strategy remains unchanged.
Since the mass adoption of firewalls,
organisations main defence against cyber-
threats relies mostly on technologies such
FEATURE
15
March 2013 Computer Fraud & Security
as anti-virus and intrusion detection/
prevention systems. However, creators of
malicious software and botnet agents have
developed and used a broad spectrum
of tools and techniques to create one of
a kind packages that can easily bypass
traditional anti-virus technologies.
Knowledge of the malware development
process is helpful in understanding
the limitations of current defence
technologies. The key process is the
automated generation of new, obfuscated
variants of malware on a massive scale
followed by quality assurance, to ensure
that only malware that is not detected is
deployed.
The result is a stealthy threat that
evades signature-based detection
systems, static analysis tools, behavioural
monitoring environments, and sandbox
technologies. Recent research and
independent testing repeatedly confirms
the scale of new virus variants and the
limitations of anti-virus and malware
detection technologies.
Arms race
These numbers clearly demonstrate
the on-going arms race between cyber-
criminals and defence technologies
trying to keep up. In a context of limited
security resources, it is imperative to
utilise patching techniques optimally
in order to achieve the desired level
of risk compliance. The numerous
vulnerabilities constantly found in
the diverse software portfolio of any
organisation represent the main security
threat. In light of the limitations of anti-
virus and other defence technologies,
and the effectiveness of patches to
remediate the root cause of compromise,
controlled and timely patching of the
infrastructure in order to minimise the
business risk should be considered as a
primary security measure.
For typical organisations, patching all
programs is operationally and economically
prohibitive. Furthermore, identifying and
patching the right programs to achieve
the largest reduction in risk is a significant
challenge. Identifying the critical programs
worth patching is similar to chasing a
moving target. While some programs are
vulnerable in several consecutive years,
many programs are only vulnerable in
some years while not in others. Programs
with low prevalence are also frequently
found to be considered critical in some
years.
Knowing what to patch
is crucial in the light of
limited security resources.
A considerable increase
in security with limited
resources is entirely
possible
Todays attacks typically use a large
number of different exploits to open
up attacks against a wide range of
vulnerable programs. Different exploits
are tried in sequence until one succeeds
in compromising a vulnerable program
a process that is fully automated. New
exploits are simply loaded as plug-ins,
thereby ensuring that attackers can
quickly and easily adapt to diverse target
environments. Thus, less prevalent
programs can also lead to compromise
as these are not ruled out by cyber-
criminals.
So, knowing what to patch is
crucial in the light of limited security
resources. A considerable increase
in security with limited resources is
entirely possible, but requires the
identification of the most critical
programs. The dynamics of a software
portfolio, paired with the rapid changes
in the threat environment, imply
a dynamic approach to ensure that
organisations patch what is most critical
from the risk compliance perspective.
The continued manual tracking of
the criticality of vulnerabilities affecting
all programs used in an organisation
is cost prohibitive. However, solutions
exist to automate this task and the cost
of such solutions has to be weighed
against the increase in security that can
be achieved with fewer resources.
Essential testing
Testing security patches before deployment
is a crucial step to identify and prevent
potential issues or incompatibilities
introduced by the patch. However,
extensive testing that considerably delays the
deployment of critical security patches leads
to an increased risk of system compromise.
Research shows that the availability of
exploit material increases to over 90%
within days of vulnerability disclosure.
From the risk-management perspective, the
cost of testing paired with the increased risk
of compromise while available patches are
delayed, versus the cost of recovering from a
failed patch times the risk of a failed patch,
has to be weighed up.
The risk of a patch that causes
incompatibilities or disrupts existing
business processes after patch
deployment drives the commitment
of resources into testing. Assuming
that the testing of patches identifies
potential issues with a patch with 100%
certainty, the cost of testing is justified
by the averted cost of recovering from
a failed patch. Testing can start with
the availability of a patch. Upon the
availability of a patch the vulnerability
is made public and the availability of
exploit material increases significantly,
which in turn increases the probability
of a compromised PC. Furthermore,
the cost of compromise and recovery
from compromise is typically higher and
raises more questions the longer a patch
is available but not deployed. Thus, the
true cost of testing increases with the
increased risk of compromise.
The cost of recovery from a failed
patch certainly depends on the type
of program being patched. If, for
example, there are issues with a patch
of server software on which many
services depend, the cost of recovery
can become high, as compatibility
issues are likely. This makes rolling back
the patch and recovering from the issue
extremely difficult, therefore, extensive
testing is more than justified. However,
if a patch for a typical desktop program,
FEATURE
Computer Fraud & Security March 2013
16
for example, has issues, the damage is
usually minimal and a rollback is easy
and quickly completed. Furthermore,
there are alternative programs to
provide the functionality. Thus, for
many programs, the cost of recovery
does not justify the expenditure and
additional risk of extensive testing. This
is especially true as the delayed rollout
of the patch poses a considerable risk.
Programs on endpoints are especially
at risk of compromise with the many
attack vectors and the activity of the
end users. Server software, on the other
hand, is typically better protected as
the server does not surf the Internet,
receive mails or open different types of
documents.
It is therefore advisable to reconsider
the testing procedures and take the
different types of programs, and their
potential options to recover from a failed
patch, into consideration. It is likely
that, for many programs, the achieved
reduction in risk through expedited
rollout of security patches more than
pays off when compared with the rather
small risk of recovering from a patch with
issues. Furthermore, the resources saved
from this strategy can help to speed up
the testing of more complex programs.
Business-critical
priorities
Due to increasing security threats and
complex regulatory requirements,
compliance and security are now
recognised as business-critical priorities.
Approaching this challenge holistically
will add value to any organisation if
the process is applied consistently and
subsequently provides a transparent
overview of the level of security that is
present in the organisation.
Patching is a necessity and a fact of
life, regardless of platforms, programs or
security tools. The following question
therefore arises how can an organisation
balance the need to patch systems with
the risks it faces and the need for stability
within the organisation?
The answer lies in the implementation
of a patching strategy integrated with
an organisations software management
and operating system release strategy. To
achieve the desired level of security, the
organisation must establish processes for
the regular monitoring and correction
of issues, ensuring that the risk is
minimised.
It is important to know
the potential targets, the
capabilities and limitations
of traditional defences,
and where to effectively
complement defences

It is common knowledge that
deploying patches is a complex process
that is difficult to master and maintain.
However, by using an integrated risk
management process that holistically
focuses on the criticality of the risks,
organisations will be able to achieve
higher long-term business value.
Nowadays, organisations have to
be compliant with a growing body of
diverse regulatory frameworks while
investments in compliance do not
necessarily reduce the right risks in
order to defend against cyber-attacks.
To reduce cyber-risks with limited
resources, it is important to know the
potential targets, the capabilities and
limitations of traditional defences,
and where to effectively complement
defences. Security patches are a primary
and effective means to escape the arms
race with cyber-criminals, as patches
remediate the root cause of compromise.
No single approach will win the
war against cyber-criminals. A holistic
approach to security is required, with
tactics such as restriction of user access,
deployment of effective anti-virus and
firewall solutions but vitally important,
a strategic approach to patching. While
cyber-criminals will not be totally
disarmed in the near future, intelligent use
of the above techniques will do a great deal
to keep an organisation and its precious
data secure.
About the author
Maria Eriksen-Jensen is VP of business
development and marketing at Secunia.
She has the dual responsibility of conducting
business development, aligned with the
strategy of Secunia, as well as developing the
marketing unit and the marketing activities
for external communication. She holds a
BSc in international business and an MSc
in finance and strategic management from
Copenhagen Business School. Secunia (www.
secunia.com), headquartered in Copenhagen,
Denmark, provides vulnerability intelligence,
vulnerability assessment and patch
management solutions designed to protect
critical information assets.
References
1. The Cost of Cyber Crime. Detica/
Office of Cyber Security and
Information Assurance, Cabinet
Office. Accessed Feb 2013. www.
cabinetoffice.gov.uk/sites/default/files/
resources/the-cost-of-cyber-crime-full-
report.pdf.
2. Chloe Smith speaks at Cyber
Security Summit. Gov.uk, 6 Nov
2012. Accessed Feb 2013. www.
cabinetoffice.gov.uk/news/chloe-
smith-speaks-cyber-security-summit.
3. Secunia Yearly Report 2011. Secunia.
Accessed Feb 2013. http://secunia.
com/company/2011_yearly_report/.
4. Cisco Study: IT Saying Yes to
BYOD. Cisco, 16 May 2012.
Accessed Feb 2013. http://newsroom.
cisco.com/release/854754/Cisco-
Study-IT-Saying-Yes-To-BYOD.
5. Frei, Stefan; Birkvald, Brian. How to
Secure a Moving Target with Limited
Resources. Secunia, 29 Jun 2011.
Accessed Feb 2013. http://secunia.
com/?action=fetch&filename=Sec
unia_How_to_Secure_a_Moving_
Target_with_Limited_Resources.pdf.
6. Frei, Stefan. Cyber-criminals Do Not
Need Administrative Users. Secunia,
7 Apr 2011. Accessed Feb 2013.
http://secunia.com/?action=fetch&fil
ename=Secunia_Cyber-criminals_do_
not_need_administrative_users.pdf.