IT security staff need to learn how to batten down the hatches more quickly, because it doesn't look like software security will get better any time soon.
The reality for IT security professionals for the foreseeable future is patching and preparing to deflect the next vulnerability. According to security expert Scott Blake, who is also a vice president of information security at BindView Corp., Houston, there is no end in sight to the invasion of worms and viruses.
"I would say we are five to 10 years away from the underlying technology getting to where we can begin to stop worrying about this stuff anymore," Blake said.
"Even Microsoft submits that any nontrivial software will have flaws, and the best you can do is try to minimize [the flaws] so it fails more gracefully. Complex, as any good security person will tell you, is the opposite of secure."
Blake said that most IT administrators already know how to secure their systems. For large enterprises, however, it remains a challenge to deploy patches, though most organizations have some sort of software-distribution system.
IT professionals are reluctant to send patches out before they are tested, because the quality of patches is often inconsistent. Blake recommends setting up a lab so patches can be tested quickly and pushed out. Untested patches don't always cause problems, but the risk is much greater where there is a high degree of customization in the enterprise. "People with homegrown applications are at a higher risk than someone with a standard Microsoft environment," he said.
Blake recommends a few tips for building fail-safe networks. First, a good set of firewall rules will help, as will good antivirus software. But at the end of the day, there will always be some systems that don't get managed properly by IT departments and, depending on the environment, that will be a great or small problem, he said.
"If you let people come in on dial-up or VPN access, and those systems are personal, those will be difficult to manage," he said.
Unfortunately, most worm or virus writers are usually just average mischief makers. "In most cases, we are not talking about someone who is coming out to create terror or financial gain," he said. "What is harmful is that they don't consider it to be their problem."
FOR MORE INFORMATION:
Best Web Links: Security