In Brief

Beware Standalone Patch Products, Banks Adopt More Security, Improving Can-Spam

Beware Standalone Patch Products

Considering implementing patch management? If so, market consolidation trends suggest you should be wary of standalone patch products, advises analyst David Friedlander, author of a recent Forrester Research brief, “Patch Management Trends in 2005.”

Patching vulnerabilities, of course, is mandatory for resisting attacks. Yet the window between public announcement of a vulnerability and code designed to exploit that vulnerability is rapidly diminishing. IT managers have a hard time patching quickly enough to keep enterprise networks secure.

Patch management tools, then, help organizations cope by automatically detecting known vulnerabilities in a corporate network, and with automatic remediation of at least some of those vulnerabilities.

Despite the potential for mitigating many vulnerabilities, not all companies have invested in the software. According to Forrester, while three-quarters of enterprises have adopted it, only half of small and medium-size businesses (SMBs) have patch management software. In other words, “SMBs lag behind significantly in their use,” notes Friedlander.

Friedlander warns that the market is consolidating, and thus advises companies to avoid standalone patch management software. “Even if these products offer superior vulnerability assessment and broad platform support, standalone solutions will be quickly overtaken by other vendors with more comprehensive offerings.” Yet he also says most integrated systems management products “are now on par with most specialized products.”

What exactly will happen to the market? Friedlander expects it to consolidate “around large systems management and security vendors such as Altiris, BMC Software, Computer Associates, Microsoft, and Symantec.” Smaller players may also continue to compete by forming OEM partnerships with larger companies, but he says it’s too soon to tell if that strategy will be successful.

Banks Focus IT Spending on Security

Based on a survey by research firm Info-Tech Research Group of small and mid-size banks, 72 percent plan to increase their spending on security software spending. Almost 60 percent plan to increase spending on security hardware in 2005.

In addition, almost half of respondents indicate they’ll increase their overall IT spending in 2005. That said, “not one IT decision maker indicated that they would be cutting security software or hardware spending,” notes the firm.

Beyond security, “both commercial and non-commercial banks are following the trends we’re seeing in other industries,” notes Terry Ouellette, a senior research analyst at Info-Technology. Such trends include a move to voice-over-IP telephony and increased adoption of storage-area networks.

Can-Spam Review Nears End

Have an opinion on Can-Spam? Beyond the unfortunate name (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003), the law is up for review by the Federal Trade Commission, but only until June 27, 2005.

The first lawsuits arising from Can-Spam—damages can be up to $2 million—began to be filed in 2004. At least some of those have now been settled.

Yet the law’s critics argue it’s too weak to really be effective and that many state laws can more effectively prosecute spammers. These critics also point to research showing the amount of spam people receive continues to increase, despite an anti-spam law on the books.

Perhaps mindful of such criticism, the FTC has been trying to improve the law. Even if you’re not planning to comment on the law, here’s what to expect from the next version:

-- The FTC is trying to better-define what the word “sender” means, and which of multiple parties advertised in an e-mail “will be responsible for complying with the Act’s ‘opt-out’ requirements”

-- Private mailboxes or post office boxes will be allowed to constitute a physical business address, which Can-Spam requires be included in all commercial e-mails

-- The time a commercial sender has to honor an opt-out request will decrease from 10 to three days

-- The FTC will mandate that for opting out of receiving e-mails from a commercial entity, “a recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail message or visiting a single Internet Web page”

These changes stem from an earlier Advance Notice of Proposed Rulemaking (ANPR) comment period, which ended in April. For that, the FTC says it received 13,517 comments “from representatives of a broad spectrum of the online commerce industry, trade associations, individual consumers, and consumer and privacy advocates.” It also notes feedback is improving the law. “Current proposals are based on the comments received in response to the ANPR, as well as the commission’s law enforcement experience.”

FTC link:

Related Articles:

Prosecuting Spyware Disseminators

Can-Spam Charges

Can-Spam, Laced with Loopholes, Creates Confusion

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.