Securing the Walls

Computer security used to mean that the system administrator had to lock the door to the server room when going out for a cup of coffee or when leaving for the day. Later, it simply meant convincing users not to load copies of their favorite programs onto the network illegally (and without concern for security compatibility issues) via floppies. Now, with Internet connections running into main servers, security techniques resemble the moats and turrets of a medieval walled city. Yet, despite the billions of dollars currently spent on firewalls, antivirus software, and security consultants, new worms and viruses wreak havoc on enterprise systems throughout the world several times a year. Of course, no security patch can prevent some gullible or ill-advised user from opening infected e-mail attachments. According to managed security services firm Activis, though, the underlying problem lies with system management and administration. Activis reports that 99 percent of all attacks are readily preventable because they come from known vulnerabilities and misconfigurations. Many of these problems are well publicized in the media before a major attack hits the firm, and patches or signature updates are usually available.

But time is not on the side of the system administrator, as vulnerabilities tend to show up quickly. Take Windows XP, for example, and its 1.5-GB of code. Within three weeks of its release, Internet security firm eEye Digital Security, Inc. (Aliso Viejo, California) located three flaws that made it possible for a hacker to take over a computer at the system level and use it for distributed denial of service attacks. Because more than seven million copies of XP were sold in the first two weeks of its launch, it is easy to see how much of a potential threat this originally posed to the Internet structure running on these machines. Even the patch Microsoft issued to fix these bugs may not be enough to resolve the problem, as the FBI's National Infrastructure Protection Center has advised users to disable XP's Universal Plug-n-Play feature in order to prevent vulnerability to these attacks. This is not to single out Microsoft. Many other software products have been found to contain security bugs. It is just that Microsoft is an easy target for hackers. Why would someone design something that would attack Apple's percentage of the desktop market when Microsoft's 94 percent share could be hit instead?

So, why do hackers cause such severe problems to the corporate world? In most cases, it comes down to the time and personnel required to keep up with all the necessary patches and version updates. A study conducted by Activis found that, in a company with only eight fire walls and nine servers running common software, an IT manager would have had to make 1315 updates in the first nine months of 2001, which is an average of seven per working day.

XP Patches

Consider again the example of Windows XP. One of the main reasons given for switching to it was the greatly enhanced security features of the operating system, and as just discussed, buyers snatched up more than seven million copies of the software within the first two weeks of its release. Within the first three weeks, however, security firm eEye Digital had already located three major holes, including one that would allow an attacker to take over the computer at the system level. It took another five weeks to develop the patch. Fortunately, in this case the vulnerability was located by a security firm, rather than some hackers, so that the first press on it was when the patch was released, not when millions of computers started crashing. Based on past experience, however, many machines will not be upgraded and someone will maliciously exploit those holes.