Still, most experts agree that Microsoft will remain the target of choice for worm and virus writers, at least for the short term, because of its market dominance. Microsoft and other software vendors have been devoting much time and effort to reducing the number of flaws in their code. But that won't eliminate the software vulnerabilities that make it easier for hackers and virus writers to attack. CERT says that more than 4,000 software vulnerabilities were reported in 2002 and nearly 3,000 were reported in the first three quarters of 2003. Security experts expect that reported software vulnerabilities will continue to number between 50 and 60 each week.
The real issue isn't the number of vulnerabilities reported, but the severity of the security flaws. The vulnerabilities discovered last year and expected this year are increasing in severity, says Symantec's Weafer, who expects that trend to continue. About 80% of all software vulnerabilities are "remotely exploitable," which means virus and worm writers can write malicious apps that can attack these flaws from anywhere, he says.
Security analysts are less concerned about so-called zero-day worms that have gotten a lot of publicity recently. A zero-day worm is one that starts attacking before the software flaw it takes advantage of is publicly known or before a patch is available. "It takes a lot of skills to discover software vulnerabilities and to write worms that will spread effectively," says Dan Ingevaldson, engineering manager for X-Force, a research group at security firm Internet Security Systems Inc. "It's very rare to find those two skills in one person."
Yet worm and virus writers are getting faster, which means companies have less time to prepare once a software flaw is found. "We don't foresee many day-zero worms. But we do see more day-seven to day-14 worms," Gartner's Pescatore says. "Fewer than 15% of attacks occur within a month of the vulnerability announcement today. That will double by 2006."
One good bit of security news is that Microsoft isn't expected to launch any major new operating system or database products this year. "Windows 2003 server is now in its second year, and many of the vulnerabilities have already been uncovered," Pescatore says. "So we should see fewer vulnerabilities from them next year." Plus, major software vendors spend more time and energy trying to find security-related bugs before they ship applications. "All of the vendors are very scared of looking like they have more bugs than Microsoft, and they're starting to spend the money to make sure that doesn't happen," Pescatore says.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
