Security Watch

Microsoft Rings in 2010 with Light Patch Tuesday

Plus: Oracle has a hefty patch cycle; enterprises feel less secure this year than last; more.

• By Jabulani Leffall
• 01/12/2010

Despite an advanced bulletin to the contrary, Microsoft will issue two patches this week instead of one. The first is a security patch to fix remote code execution issues affecting every Windows OS, including Windows 7.

The second patch isn't for keeping out malware, but rather is being done by court order. Redmond said late last week it would patch versions of Microsoft Word 2003 for Mac to comply with a federal court's ruling requiring it to remove custom XML technology from the near-ubiquitous word processing app. This patch is similar to a previous Word 2007 update.

Individual or enterprise users who bought or licensed Word 2003 or 2007 before Jan. 10 don't have to apply the patches.
 
Oracle's Hefty Patch Cycle
Windows IT pros may have a temporary reprieve from Microsoft with its light Patch Tuesday rollout. But if you run Windows with an Oracle database on the back end of your processing environment or in a .NET feeder or snap-on interoperability situation, you have 24 more patches from Oracle to consider.

The fixes will patch more than 24 new security vulnerabilities across hundreds of Oracle's products, including Oracle's Application Server.

Survey Says: Enterprises Feel Less Secure in 2010 
Normally, surveys from security companies reporting a feeling of security-less-ness should be taken with a pinch of sodium. Still, the cause of this "insecurity" may be more important than the effect.
 
A new Ponemon-Lumension survey on the worldwide state of endpoint security suggests that many companies are feeling less secure -- nearly half, in fact. The report says this is mainly due to "ineffective budget allocations, poor collaboration across IT operations and security, and lack of company-wide policies."
 
Based on answers from the respondents, about 44 percent of IT security and IT operations practitioners in the U.S. said they lacked confidence in their own security infrastructure. Meanwhile, in Germany, 75 percent of respondents said they feel more secure than a year ago.
 
One big issue, the report points out, is what IT auditors call a lack of "tone at the top" coherence; more than half of the companies reported they don't have a formal enterprise-wide IT security policy in place to prevent negligent insider misuse of technology -- or, for that matter, to prevent attacks from outside threats.

In PCI Security, Shift Happens
If the past two years have been any indication, this year will be a big year for payment card industry (PCI) security concerns, particularly as the use of debit, credit and pre-paid cards continue to grow.
 
"Shift happens, and as an IT security professional, you need to deal with the consequences of change in the way people do business and make transactions," said Torsten George, a vice president at security company ActivIdentity. "We need to understand how to navigate the new security reality in today's topsy-turvy business climate."
 
Two years ago, a widespread ATM network failure at Citibank became the catalyst for arguments for and against PCI data security standards.
 
Then, after a big data breach almost exactly this time last year at Heartland Payment Systems, critics of the Payment Card Industry Council, which sets current PCI security standards, pointed out that Heartland was standards-compliant and still got hit.
 
Last year "was the year that the fraud of PCI audits as a security methodology became public," said Phil Lieberman, president of security software and services firm Lieberman Software. "Namely, it was only a point-in-time audit that could leave a company vulnerable unless the company instituted real and continuous security."
 
The argument over the effectiveness of PCI security standards -- whether they should be enhanced or turned over to the government like Sarbanes-Oxley and HIPAA IT security standards -- is likely to continue as the climate shifts and threats permeate, Lieberman added.