Microsoft IE vs. Adobe Flash: Zero-Day Analysis

Image from grahamcluley.com/

There has been quite a bit of discussion and coverage the past few days about the new Internet Explorer zero-day vulnerability and associated exploits. Through this pandemonium, there was also a zero-day vulnerability for Adobe Flash, arguably effecting a like number of users. Unlike the Flash vulnerability however, federal government agencies have stepped in and advised Windows users to use other browsers, only adding to the paranoia and media spin. As of March 11th, there were an estimated 1.4 billion active Windows licenses and of those, about 30% were XP systems. Not accounting for the number of users who have upgraded in response to the April 8th cutoff for support from Microsoft, that leaves about 488 million systems that will not receive the patch for Internet Explorer’s zero-day vulnerability when it is released.
Another reason that the Adobe Flash vulnerability has not gained as much space in the headlines is the simple fact that it was patched within 24 hours. Not only is Microsoft currently leaving all of their users out to dry, but a good number of them will never get relief from this zero-day. It is important to note that Microsoft is worth an estimated $300 billion, while Adobe has a meager net worth of $18 billion, comparatively.
Some think that the IE vulnerability could finally force users to upgrade their Windows XP systems, even though they already made the decision to keep an unsupported operating system. Others claim that any issues resulting in XP users being attacked is of their own irresponsibility.
Could this lack of support from Microsoft have a negative effect on their stock prices? Is this just another reason for computer users to have less trust in the information system giant, causing them to use Apple products and operating systems? Will users decide to take the less expensive path and switch to a Linux solution, which has steadily gained popularity during the last decade?
What do you think?

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

4 Ways to Sell Security Expenses to Business Executives

Image from http://www.pandgsecurity.com.au/
One of the most challenging parts of being a security administrator is asking for more money, especially when it appears as though everything is working fine. The old adage comes to mind, “If it’s not broken, don’t fix it.”
Unfortunately, this philosophy can be disastrous in the security world. New technology acquisition is often much easier for the CIO than for the CISO for one simple reason: business executives like new, shiny toys. They don’t however, like to invest in technology that they are unable to see and play with.
For this reason, you must always address new security capability procurements in business terms that executive management understands. In other words, you have to show them the money. The following are 4 ways of getting business minded people to see the benefit of making security expenses that they do not fully understand.
1. Create a “What If” Scenario: This suggestion is often the easiest, especially since the most of the associated research is has already been performed if you are an active and aware security professional. Compile a list of the most recent vulnerabilities and exploits, whether they pertain to your organization or not. Then, take the data from your business continuity and disaster recovery plans (hopefully they are up to date and accurate) to calculate the amount of money lost each day when information and information assets are not available. Many times this kind of scare is enough to continue the conversation.
2. Capitalize on Competition: Business executives are always trying to compare their business with similar organizations because they do not want to be driven out of the market. On that same note, they often enjoy a good story about their competition’s shortfalls. Find some similar organizations around the world that have suffered from security incidents, especially those that have lost a considerable amount of money. When you give this presentation and provide a solution, it can easily be seen as a win/win. Not only does it look like you are a better security professional than what the “other guys” have because it did not happen to your organization, but it also gives the executives an opportunity to make a decision that will give them a leg up on other members of the industry. Business people like to think that their company is an industry leader. All you have to do is give them an opportunity.
To put a cherry on top, it might be a good idea to reference the same profit loss data as in the previous suggestion when comparing against the competition.
3. Do Your Research: Nothing turns business people off more than speaking with someone who has no business sense. If you are unable to show a positive return on investment (ROI) for the procurement, they can feel like you have wasted their time. For this, make sure that you don’t just research solution capabilities, but also the associated costs. Another tip is to only suggest solutions that fulfill the current need, along with projected organizational growth and near-term future requirements. It is fine to go up a size or two when buying a winter coat for your child, but it might be a waste of money to splurge on an adult large that they will never grow into.
Make sure you do research and find the best return on investment
4. Role Identification: When all else fails and you are sure you are absolutely right, it might be a good idea to remind your executives that ultimately they are the information owners. You are doing your job by identifying the problems and presenting solutions, but it is their responsibility to approve or disapprove the security measures. It is also their responsibility to protect their information. If a security incident occurs that would have been avoided if they chose to approve your suggested investments, it won’t be your picture on the front page of the newspaper.
This is a bold step, but it has the possibility getting your recommendation funded AND changing the way they look at the security of their organization’s information.
These 4 ways to sell security expenses to business executives could help you make your organization more secure, avoid security incidents, and ultimately keep your job. If you have any suggestions or additional tips for performing this task, please let me know in the comments section down below and I might add them to the list.
Read, Love, Comment, Share!
Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.