Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security
F E A T U R E  
Are You Vulnerable?

  June 26, 2003
  By Greg Shipley


>> continued from previous page

You May Ask Yourself...
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 Tools of the Trade
arrow
 You May Ask Yourself...
arrow
 Executive Summary
arrow
 Critical Steps
arrow
 Slipping Under the Radar
arrow
 Epoll Results

Regardless of whether you fear targeted attacks by humans or nontargeted threats, such as worms, every organization must ask a few basic questions periodically:

• Do we have tiered defenses?

• Do we keep up-to-date with patches? Do we have a patch-deployment system in place that can distribute updates in a timely manner?

• Do we use an automated VA tool to identify potentially vulnerable systems?

According to our reader survey and the obviously abysmal state of the industry at large, we'd venture to say that the majority will answer "No" to most of these questions. This not only means increased risk, but increased costs, and it's where the business case comes into play: Like it or not, vulnerabilities cost money. Clean-up costs money. Lost work costs money. And not having a vulnerability-management plan in place will ultimately--you guessed it--cost money.

An interesting paper was released late last year discussing some of the vulnerability-management efforts at NASA (see www.sans.org/top20/GISRA_NASA.pdf). According to the study, NASA determined that the vast majority of its security incidents were related to a specific subset of total vulnerabilities. The agency concluded that it could reduce its risk profile by addressing this subset of known vulnerabilities. The result was an organizationwide vulnerability assessment and mitigation war, launched by NASA's CIO, that involved a few key components:

• Success was benchmarked using a vulnerability-to-host ratio.

• The performance of sites and teams was mapped directly to this ratio.

• Organizationwide ratios were measured from quarter to quarter.

Dramatic improvements were seen after just a few quarters, and NASA concluded that the effort cost about $30 per system annually. As this illustrates, organizations with a good handle on the management of their vulnerabilities can more cost-effectively deal with current threats.

Money Talks

Vulnerability-assessment software, asset-tracking systems and patch-management tools are not just beneficial. They're necessary. But these are still tactical solutions to a very strategic problem: the staggering number of vulnerabilities in mainstream OSs, services and applications. The answer--as any hardened security professional will tell you--is in the hands of developers. The world needs better software engineering, or we'll never escape today's patch-and-pray model.

But better software engineering is not going to come overnight, and it's certainly not something the enterprise customer can control. So what can be done? Start making security a key factor in product purchasing and deployment decisions, and seek out products with better security track records. ICAT is a good place for the motivated consumer to start, but those who subscribe to SAC, Bugtraq or VulnWatch will also be able to identify common offenders.

Philosophical debates aside, products that have better vulnerability track records, and thus have required less patching, not only reduce an organization's day-to-day risk, they also reduce the TCO (total cost of ownership) via lower support costs. For example, consider choosing Apache over IIS, Postfix instead of Sendmail, Tinydns instead of Bind, and Opera instead of IE. Obviously, these are not isolated decisions; security and patching requirements are just one point among many criteria. But it's a factor that is growing in importance.

If consumers begin factoring security track records into their purchasing decisions, it will send a clear message to vendors: Those that design and implement more secure products will be rewarded, and those that don't will be penalized. Think of how much easier and cheaper it would be to operate a computing environment that didn't require patching.

What Lies Ahead

Unfortunately, we suspect that the vulnerability landscape will get worse before it gets better. Over the past few years the number of discovered vulnerabilities in commercial products has risen dramatically.

Complicating matters, the management lines between application development and system, network and database administration continue to blur, particularly in regard to zones of security control. For example, administration and security of the OS (and the subsequent patching) still clearly falls under the jurisdiction of the system administrator, but his or her security efforts can be completely foiled by a single bad application; if an application developer places a vulnerable CGI form on a previously secure Web server, much of the system administrator's security controls may be bypassed. The network administrator can't be held responsible for insecure systems, and the security-conscious application developer can still be thwarted by a careless database administrator. The dependencies among administrative teams are growing ever more web-like, and these areas of authoritative haze will only be complicated by the adoption of new technologies, such as Web services.

Most organizations have two choices: Continue what they are doing and continue operating with large risk/exposure profiles, or invest in more mature vulnerability-management efforts. Those efforts must include both the tools and processes to quickly and effectively identify, and respond to, an ever-evolving set of threats. Forward-thinking organizations will not only build out better vulnerability-management systems, they will also become more security-conscious in their purchasing decisions. The safety of their data, and their businesses, depends on it.

Greg Shipley is the CTO for Chicago-based security consultancy Neohapsis. Write to him at gshipley@neohapsis.com.

Post a comment or question on this story.

start top  Tools of the Trade Executive Summary 

Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Data Centers Gone Wild
February 22, 2010
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll