Month: November 2003

Today, about 40 percent of organizations are well secured, 20 percent are beginning to increase their security expenditures, but a good 40 percent still don’t really get it. “Overall security expenditures have increased by about 10 percent in each of the past three years, and security spending now comprises about 4 percent to 10 percent of a company’s budget,” Byrnes said.

“Companies that were merely secure about five years ago are now looking to do things more efficiently, by remaining secure while cutting costs.”

Ron Moritz, head of eTrust security products for Computer Associates, said one way companies might do this is by looking for security solutions that cover entire networks and can be centrally managed.

But all the panelists agree that such a system requires an organization to have a sound security policy. “If you don’t know what’s going on in your network, you can’t respond.

More info: [url=http://www.internetweek.com/story/showArticle.jhtml?articleID=16101239]http://www.internetweek.com/story/showArticle.jhtml?articleID=16101239[/url]

The focus on security needs to shift from cleaning up after a problem to anticipating potential problems, he said, with automated patch management and better coordination of software and hardware.

“Security needs to move beyond its niche focus,” he said. Otherwise, it will be impossible to keep up, Thompson claimed.

“More than 100 new viruses are identified every week–and 60 new software (problems) every week,” he said. “We saw a 19 percent increase in attack activity in the first half” of 2003.

In the relatively near future, the world will likely see the debut of damaging threats the industry is calling “Warhol” attacks, as they are likely to achieve fame by spreading across the Internet in 15 minutes. “Day Zero” threats, which exploit previously unknown vulnerabilities, will hit without warning, the Symantec CEO added.

Corporations are also taking action to stem attacks, such as creating more homogeneous computing environments or taking part in initiatives such as the Network Admissions Control program to ban insecure mobile devices from corporate networks, announced Tuesday by Cisco Systems.

Thompson stated that a shift to Linux from Microsoft wouldn’t be a sure way to avoid the kind of recent suffering caused by viruses that exploited holes in Microsoft code.

More info: [url=http://zdnet.com.com/2100-1105_2-5109531.html]http://zdnet.com.com/2100-1105_2-5109531.html[/url]

In the end, what is left and what could be done as an emergency measure? I’m afraid there’s not much that can be done to approach 100% efficiency.

Probably one of the most promising security measures would be traffic shaping IDSes and communication between different ones. They still need a lot of improvement to prevent false positives, because false positives tend to bore administrators who then end up not listening to alerts anymore.

Full disclosure of vulnerabilities is surely a way of facilitating the task of exploit writing. On the other hand, imposing a total blackout on vulnerability discovery and disclosing it only to the vendor (or publisher) of a piece of software is surely a way of; 1- not inciting hackers to discover holes, and 2-having some hackers keep them for their group of friends to carry out their own exploits.

Good old solution: patch, patch, patch
Last word: patching a system as soon as a solution has been found to a security vulnerability has always been the best solution to avoid security problems.

More info: http[url=http://www.net-security.org/dl/articles/wf.pdf]://www.net-security.org/dl/articles/wf.pdf[/url]