Security Threats Won't Let UpSecurity Threats Won't Let Up

Microsoft and other software vendors have been devoting much time and effort to reducing the number of flaws in their code. But that won't eliminate the software vulnerabilities that make it easier for hackers and virus writers to attack. CERT says that more than 4,000 software vulnerabilities were reported in 2002 and nearly 3,000 were reported in the first three quarters of 2003. Security experts expect that reported software vulnerabilities will continue to number between 50 and 60 each week.

The real issue isn't the number of vulnerabilities reported, but the severity of the security flaws. The vulnerabilities discovered last year and expected this year are increasing in severity, says Symantec's Weafer, who expects that trend to continue. About 80% of all software vulnerabilities are "remotely exploitable," which means virus and worm writers can write malicious apps that can attack these flaws from anywhere, he says.

Security analysts are less concerned about so-called zero-day worms that have gotten a lot of publicity recently. A zero-day worm is one that starts attacking before the software flaw it takes advantage of is publicly known or before a patch is available. "It takes a lot of skills to discover software vulnerabilities and to write worms that will spread effectively," says Dan Ingevaldson, engineering manager for X-Force, a research group at security firm Internet Security Systems Inc. "It's very rare to find those two skills in one person."

Yet worm and virus writers are getting faster, which means companies have less time to prepare once a software flaw is found. "We don't foresee many day-zero worms. But we do see more day-seven to day-14 worms," Gartner's Pescatore says. "Fewer than 15% of attacks occur within a month of the vulnerability announcement today. That will double by 2006."

One good bit of security news is that Microsoft isn't expected to launch any major new operating system or database products this year. "Windows 2003 server is now in its second year, and many of the vulnerabilities have already been uncovered," Pescatore says. "So we should see fewer vulnerabilities from them next year." Plus, major software vendors spend more time and energy trying to find security-related bugs before they ship applications. "All of the vendors are very scared of looking like they have more bugs than Microsoft, and they're starting to spend the money to make sure that doesn't happen," Pescatore says.

Businesses battling continuing waves of security threats may need to add new weapons to their arsenals. In addition to quick patching, effective firewall policies, strict remote-user security rules, and keeping antivirus software up to date, businesses should look at intrusion-prevention applications such as those offered by Cisco Systems, Internet Security Systems, Network Associates, Platform Logic, and Sana Security. These applications don't rely on threat signatures and software policies to thwart attacks. Instead, they attempt to block new attacks long before antivirus, intrusion-detection, and firewall systems and policies can be updated.

Want a safe prediction for the new year? Here's one: Companies will face new threats that no one expects, plus many variations of the old threats. Information-security pros aren't willing to predict much progress in the battle against worms, viruses, and other security threats. But there's one thing nearly all of them do agree on: Businesses must continue to devote time, money, and personnel to keep their systems as safe as possible.