IT Security and Net Admins swamped with patching vulnerabilities
System vulnerabilities--holes through which intruders may crawl inside your servers--are cropping up at a rate of six or seven per day, a pace that strains the resources of most system administrators, security experts say.
The Code Red incident left little doubt that the most serious security risks for Internet businesses are not just the holes in the software, but also the time lag in closing them. A major hazard lies in the fact that a worm to exploit the IIS exposure was ready about four weeks after the patch was created--and during those weeks, many system administrators had not bothered to fix their systems....
Data guardians swamped by hacking blitz
By Charles Babcock writing for Interactive Week
Many such vulnerabilities are minor enough that I-managers can wait for them to be fixed in the next release of an operating system (OS) or Web browser. But some holes, such as the recently identified buffer-overflow exposure of Microsoft's Internet Information Server, can leave Web sites open to attack. Although the IIS vulnerability could easily be fixed with a patch that Microsoft posted June 18, a malicious worm called Code Red had no trouble propagating itself to 250,000 unpatched IIS servers in nine hours when it was launched on July 19
Hackers "are moving up the software stack" to the Web server, database server and application server, says Chris Rouland, director of X-Force, the research arm of security software vendor Internet Security Systems.
In 1996, only about five new system vulnerabilities showed up each month. Today, there are 200 new vulnerabilities per month, Rouland says, and system administrators are hard-pressed to pay attention to those that most directly affect them.
"It's an enormous number of patches to keep up with. I think it's a losing proposition" for many administrators, says John Garber, chief strategic officer of Cryptek Secure Communications, a security firm whose intrusion detection systems shield data and applications.
Says Rouland: "There is a requirement for tools that automatically look for vulnerabilities," which might tell the administrator what patches are needed.