[Guest Post]

This guest post was provided by Lee Munson on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI vulnerability scanning software.

All product and company names herein may be trademarks of their respective owners.

Nowadays many companies will scan their corporate networks in order to identify security issues. A vulnerability scanner may be employed once per year or, preferably, more often, and can be run either in-house or by a third party.

Typically, the results that come back from the vulnerability scan are used to identify and rectify any security concerns, as well as to remain compliant with the company’s own internal policies and procedures.

The Regulations

There is a whole raft of regulations that either do, or could, have a significant effect on information processing and security. The key regulations for the USA, Europe and the United Kingdom –include:

• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability Act 1996 (HIPAA)
• Sarbanes-Oxley Act 2002 (SOX)
• Gramm-Leach-Bliley Act 1999 (GLBA)
• Family Educational Rights And Privacy Act (FERPA)
• The EU Data Protection Directive
• The EU Directive On Privacy And Electronic Communications
• The Computer Misuse Act 1990
• UK Data Protection Act 1998

Many of the above regulations either require, or at the least imply the need for, regular vulnerability scanning across the organisation’s network.

The Consequences Of Non-Compliance

There are, of course, many possible penalties associated with non-compliance of the regulations listed above. The first such penalties that you would likely think of would be immediate, legal and financial in nature but there would also be a longer-term concern as well.

In business, reputation is everything, and a company that is not compliant with the regulations will suffer as a result, either through that knowledge becoming known to prospective partners and customers, or as a direct consequence of a breach occurring.

Vulnerability Scanning and Compliance

By using a vulnerability scanner – that also includes the ability to patch vulnerabilities and provide audits – on a frequent basis, a company can detect security threats before they can affect the network. This is especially important in an environment where hardware and users are changing regularly.

Network security is a fluid process that changes all the time with new threats emerging on a regular basis. A vulnerability scanner is an essential tool for combating these new threats as these would be updated regularly by their vendors in pretty much the same way that antivirus programs are updated with new virus definition files.

Another benefit to running regular vulnerability scans is that it helps with security audits and, therefore, helps you meet compliance with the regulations mentioned above.

In the future, the need for compliance is only going to grow due to the fact that there will undoubtedly be a raft of new regulations being released and, also, because the existing regulations will almost certainly begin to encompass more and more companies, regardless of their size.

A vulnerability scanner is your virtual security consultant and can aid your organisation to pass all the appropriate legal audits as well as your company’s own internal policies, protecting all your customers’, partners’ and employees’ data and privacy in the process.

Today in my blog post, I am not going to write anything technical, tips and tricks. But I am going share few information with other bloggers for whom this information is very important in computer security perspective.

This afternoon I got a short and sweet email from a mail ID asking me to write product review for one of their product and they provided me a link to the software. In return to my review they offered me a free license for the software on which I have to write the product review. Well, everything looks fine so far and I gave a confirmation in email that I will check it a bit later in day. I opened the link they provided me in email and it’s like a company which is selling their products online. As I haven’t received any confirmation from other side about the license part they promised me, I just did a brief search over internet with the email ID and landed in Sara’s blog. I have seen a professional way of spreading virus after reading the blog entry where sara also got email like me but luckily came out of that crap because of her good antivirus (that’s what she says in her blog!).

The actual story is that, few people over internet are targeting bloggers and asking them to write review for their products and offering % or free licenses in return. The links they are providing in emails are downloading virus into your computer which in turn suffer your system in many ways if you don’t have proper Antivirus software. I know, there are many companies which ask people to write review for their products to increase their sales, but for the first time I have seen people misusing this channel to spread virus. Now I am in dilemma whether to respond to such emails or not. If I skip, I might miss some good chances and if I accept I will waste my time in fixing AV issues.

I will find-out the precautions to be taken against these scams and come up with another blog post pretty soon.

Happy Learning…,
Sitaram Pamarthi