ScanIT, an Internet security consultancy, reports Microsoft’s Internet Explorer was unsafe 98 percent of the time, during 2004. The data were collected from 195,000 internet users who used ScanIT’s online security checker. The reported 98 percent unsafe rating is based on security holes being found in fully-patched installations of Internet Explorer on every day of the year 2004, except the week between October 12 and 19.

A fully-patched installation of Internet Explorer doesn’t mean that the user is safe from malware. For over half of 2004, 54 percent of the time (200 days), a worm or virus was in the wild that could take advantage of additional vulnerabilities for which a patch was not available from Microsoft.

So, what is a computer user to do? One free alternative is to use Mozilla FireFox, rather than Microsoft Internet Explorer. During the same period, ScanIT found that FireFox was vulnerable only 15 percent of the time (56 days). Another alternative is the commercial webbrowser, Opera, which was vulnerable for 17 percent of 2004 (65 days). Either of these alternatives is an excellent first step toward decreasing the risk of being attacked by internet-delivered malware.

Dave’s Comments
ScanIT’s website will report common security problems that may put you at risk; it’s worth a visit.

Another site, Steve Gibson’s Shields Up!! will help you detect a general set of security risks to you system.

Use both sites, ScanIT and Shields Up!! to help you detect your risks.

Call for Comments
Please leave your comments below.

References
ScanIT Browser Security Test
Shields Up!!

How sure are you that your security policy is effective. Let’s say that it is, so how effective is it? What costs are incurred by the policy, and I don’t mean just monetary. One way to answer these questions and ensure the policy is not only effective, but also efficient, is to apply the Six Sigma approach.

I’m meeting more and more IT folk who are Six Sigma trained, either Black Belt or in training for the recognition. A Black Belt must be able to explain the philosophies and principles of the quality program, including how systems, tools, processes, and continuous improvement can best be applied at multiple management levels and to diverse business processes throughout the organization., (quality, process/continuous improvement, etc.) and will be able to apply them in various business processes throughout the organization. However, quality is frequently mentioned in terms of product development and manufacturing. I think that it must also be applied to digital security.

Who is responsible for the security of digital assets? Each and every employee who has contact with the data must understand that she’s responsible for the data’s security, to the extent authorized by her corporate authority. However, policies based on making everyone responsible rarely succeed, be cause ultimately, no one accepts the personal responsibility. By using a Six Sigma approach, the security analyst starts at the other end, rather than the corporate user of data, the analysis begins with the customer, ultimately the real end user of corporate data. The Six Sigma process can evaluate security holes, causes, and what long-term affects intermediate actions have by evaluating the number of times customer service has been affected by security failures.

Dave’s Opinion
The Six Sigma approach to effectiveness and quality assurance is based on ensuring no failures occur. Sigma is used to mean deviations from the norm: defects from perfect quality. Six Sigma means that only 3.4 defects per million occur.

The Six Sigma approach is popular in many management applications, not just information technology; however, I have rarely seen it applied to security management. Maybe, it’s time.

Call for Comments
What do you think? Leave your comments below.

References
Six Sigma
101 Things A Six Sigma Black Belt Should Know