Study reveals: Half of organizations suffer from high-risk vulnerabilities.

KARLSKRONA, Sweden - May 31, 2010 - An independent IT network security study reveals that nearly half of the organizations that participated in the security study suffered from high-risk network vulnerabilities. Almost two out of three organizations were facing vulnerabilities on their Internet facing devices. The average number of found vulnerabilities per host was 12.5. Using regular vulnerability scanning or security audits show a tendency of reduced risk exposure. The study was conducted during late 2009 and early 2010 in Finland by the Software Business Research Unit (SBL) at the Helsinki University of Technology (now Aalto University).

The SBL study was conducted to identify the most common security vulnerabilities in order to help companies improve their IT security and vulnerability management. During the study the researchers analyzed the IT networks of 32 Finnish organizations for software security vulnerabilities that are exposed to the public Internet. All participating organizations joined the study voluntarily and had given their approval in advance for the vulnerability scans. Each company was afterwards confidentially informed about the indentified weaknesses in their own network.

The vulnerability analysis of the study revealed a total of 523 weaknesses on 42 hosts. High-risk vulnerabilities make up one third (33%) of the total number of identified vulnerabilities. Almost half of the analyzed organizations (47%) suffered from such high-risk vulnerabilities. Nearly two out of three of the participating companies (62%) faced at least lower-risk level vulnerabilities. Most commonly the vulnerabilities were found on a web server and related to the use of the popular scripting language PHP.

"Organizations that manage their vulnerability exposure through regular vulnerability scans or regular security audits can reduce their risk exposure compared to other organizations." says SBL Project Manager, Christian Frühwirth.

The study received support from the Finnish Funding Agency for Technology and Innovation (TEKES) through the VALO project. The study used the vulnerability scanning solution OUTSCAN, provided by Outpost24. OUTSCAN has several mechanisms to ensure an effective yet non-intrusive scan towards the targeted networks, minimizing any possible network interruptions.

The IT network security study was now conducted the first time but is planned to be renewed annually.

Vulnerabilities with a CVSS score of 7 or more on a scale of 0-10 are considered "high-risk". The full specification is available online at http://www.first.org/cvss/.

The TKK Software Business Lab is one of the leading research units in Finland in the area of software business and part of the BIT research center at the Aalto University (formerly Helsinki University of Technology – TKK). http://www.sbl.tkk.fi.

Outpost24 is the technology leader in on-demand vulnerability assessment and management solutions with over 1,000 corporate and government customers. Outpost24 is headquartered in Sweden with a global network of local sales offices.

The full study is available at: http://outpost24.com/files/Security_Study_summary_May_2010_rev_100526_CF.pdf
For more information please contact:

- Christian Frühwirth, Project Manager, Helsinki University of Technology, phone             +358 9 4511      , e-mail christian.fruhwirth@tkk.fi

- Ron Perris, CTO, Outpost24, phone             +46 708 474 338      , e-mail ron@outpost24.com