The good news: The number of security incidents is expected to remain the same in 2003, compared to last year, based on the most recent quarterly statistics from the Computer Emergency Response Team Coordination Center.

George V. Hulme, Contributor

November 7, 2003

4 Min Read

The good news: The number of security incidents is expected to remain the same in 2003, compared to last year, based on the most recent quarterly statistics from the Computer Emergency Response Team Coordination Center.

Through the end of September, CERT handled 2,982 software vulnerability reports. For all of 2002, it dealt with 4,129.

The bad news is that attackers are still primarily exploiting known operating-system and application vulnerabilities to hack into systems. In InformationWeek's 2003 U.S. Informa- tion Security Survey, only 21% of the 815 companies surveyed say their systems were attacked via "unknown" operating-system vulnerabilities.

Attackers also hacked their way into the business systems of nearly one in five sites by exploiting poor access controls. Another 7% say their operations fell victim to attacks through unknown applications.

Many IT professionals complain that hackers, security researchers, and security vendors who find and disclose software vulnerabilities are just seeking name recognition and free publicity. After all, every big worm that has struck so far has exploited a software vulnerability that had previously been discovered and had a patch available to fix it. Not one of these worms was a so-called zero-day attack--an attack based on a vulnerability that wasn't known publicly and for which a patch wasn't already available.

As painful as patching is, and despite the toll it takes on system administrators and developers, it may not be as bad as walking into the data center one morning to discover that a worm is tearing its way through the Internet and your systems and that it will be days before anyone figures out how to counter it.

What toll is software patching having on your IT division's productivity? Let us know at the address below.

George V. Hulme
Senior Editor
[email protected]


The Way In
Was a valid user account, permission, or guest password compromised in a security attack?

Software and application vulnerabilities aren't the only programs prone to security attacks. Hackers also are making use of personal identification numbers, account permissions, and valid user passwords, all established to restrict access, in their campaigns. Of the 815 business-technology and security pros who participated in InformationWeek's U.S. Information Security Survey this year, nearly one-fourth experienced security incidents involving valid user accounts or permissions. Fourteen percent say attacks involved guessed passwords. Top of the Page

Enemy Within
Has your company experienced denial-of-service attacks in the past year?

Security pros and network administrators have a tough challenge patching the vulnerabilities software vendors announce each week. Coping with denial-of-service attacks can be equally challenging, especially when they're traced to company insiders. While nearly one-fourth of the sites surveyed by InformationWeek report recently falling victim to externally waged denial-of-service attacks, 3% report attacks that came from within their firewalls.

Security Challenged
Is the increasing sophistication of security threats a significant barrier to effective security?

Grueling work must be done if IT systems are to remain available and secure. Should we also worry about system vulnerabilities uncovered by hackers who aren't so quick to share the holes they've found? How many hackers and data thieves have identified otherwise unknown commercial system vulnerabilities? Do the sites that don't consider the increasing sophistication of security threats an obstacle to effective security (51%) know something the rest of the world doesn't, or is their optimism just wishful thinking?

What's To Come
What will be the security priorities for your company in the next 12 months?

Those in the know about information security for the most part believe that better employee education is the best defense against security breaches. Increasing awareness of policies and procedures, spending more on training and retraining workers, developing security policies and standards, and adding qualified staff will be among U.S. companies' security priorities in the coming months. One in five sites surveyed also plans to form incident-response teams to ensure that security incidents are handled quickly and effectively.

About the Author(s)

George V. Hulme

Contributor

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights