Are malware authors now too far ahead of information security professionals for the latter to ever recover?
Indications are information security professionals -- and ordinary users of information and communication technology -- are increasingly on the back foot.
A new report from a United States-based research organisation -- the Internet Storm Centre -- revealed unpatched personal computers now have an average window of just 20 minutes from being connected to the Internet to having their ports probed by malware and most likely, be infected.
This is down from 40 minutes last year and less than the time needed by users to download critical patches.
The time, however, varies greatly with subscribers to Internet service providers who block ports commonly used by worms having more time and University networks and users of high-speed Internet services -- who may be targeted by scans from malware like bots -- having less.
The news followed statements by a senior Microsoft executive, who unfavourably compared patch management to human immune defence systems. Fred Baumhardt told Tech Ed in Amsterdam "if the human body did patch management the way IT does, we'd all be dead".
ZDNet Australia ran these issues past AusCERT computer security analyst Robert Lowe, who conceded the war was not looking so good for the information technology professional and home user.
"Malware authors have had the upper hand for a while," he said. "Security professionals have been on the back foot for long time, the tools to launch attacks are becoming more readily available.
"I don't know if the tide is turning, it's definitely a difficult battle".
Lowe points out that, even at 40 minutes, there was not enough time for home users on dial-up to download the patches needed to protect their computers.
However, he insists that a patch management strategy is critical, taking its place in a "defence in depth" security strategy together with antivirus protection and personal firewalls.
Lowe is less inclined to believe that Internet service providers should be pressured to wade in and do more to filter out the torrent of viruses and worms wriggling eagerly towards unprotected computers. He notes that ISPs do offer antivirus and anti-spam products -- albeit while maintaining the strong stance that traffic is not their problem, they merely provide the medium to connect to the Internet.
Still, while the war is not going the way of the good guys, there are some positive signs, according to Lowe. He welcomes the release of Microsoft XP SP2 as "addressing a lot of the vulnerabilities" facing users. "It's a really positive step forward," he says, pointing particularly to the friendlier interface to security settings provided to users and the automatic enabling of the firewall product. "We definitely recommend installation as soon as possible".
What do you think? Are malware authors so far in the ascendancy that information security professionals will be forever playing catch-up? Is XP SP2 as positive a development as Lowe is recommending? TalkBack to us below.
ZDNet Australia's Iain Ferguson reported from Sydney. For more coverage from ZDNet Australia, click here.
Talkback
You're omitting the fact that the problem is rather one sided. Non-MS platforms haven't had that many problems - for years. This is not to say they're 100% safe (because they aren't) but in relative terms MS has a lot to answer for - and so do the CIOs/CTOs of this world who still chose this platform.
No wonder Linix is making inroads, even without a billion dollar marketing campaign..
All this talk about patches keeps making the same really bad assumption over and over again...
The assumption that the patches can be trusted is just plain wrong...
Installing Security Patches from Microsoft is playing a game of Russian Roulette. You never know when/what is going to blow up your machine.
I can not even count the number of computers I have had to reinstall the operating system on, because Microsofts poorly tested patches have hopelessly corrupted the system.
I know that I am not alone in this observation. Did you see how many companys were screaming for a way to shutoff the XP SP2 AutoUpdate?
There were articles everywhere in which IT people were quoted as saying it would take weeks of testing before they would dare to install XP SP2.
People on the front lines of IT know how much damage Microsoft routinely and callously does with their updates. Journalists often talk about the number of unpatched computers out there, without making the effort to find out why those systems are unpatched...
The security patches from Microsoft are often worse then the viruses. I know that a good 3rd party firewall and good 3rd party antivirus software will do a good job of protecting the computer from viruses. But I do not know of any product that can protect us from Microsoft's repeated stupidity of broken autoupdates.
It's true that GNU/Linux has it's share of update problems. But I have yet to see a GNU/Linux update that rendered the computer unbootable and unfixable. Whereas I have seen this so often with Windows 2000, Windows 98, and Windows XP Service Pak 1, that I feel Microsoft is very deserving of a class action lawsuit for the thousands upon thousands (perhaps millions) of dollars of damage that their updates have caused. But of course it is pointless to sue Microsoft, they have too much money and too many lawers and proved that they can buy their way out of nearly anything.
On the other hand I do get paid pretty well for fixing these computers, so maybe I should not complain too much. I just feel that there are more honest ways to make a living then fixing problems that should have never been there in the first place.
Above and beyond all else, Microsoft is an incredibly arrogant company that cares little about the end user.
Anybody who is trying to decide between Microsoft and Linux needs to look long and hard at the big picture. Microsoft talks a great line and paints a rosy picture of all these geewiz vaporware features in Longhorn. But their design process is fundamentally flawed. They insist upon integrating everything into one monolithic hunk of undocumented code. This results in a level of complexity that is infeasible to test properly and can never be fully debugged. They design it this way for the marketing advantage of product lockin.
The true cost of constant security breaches and endless patch/update headaches is staggering. And this cost is often ignored when making comparisions to Linux.
Another cost comparision that is bogus is Miicrosoft's claim about how much it costs to retrain people to use Linux. While there is truth to this claim as a one-time expense, it totally overlooks how much time is involved in learning how to deal with yet another incompatibile version of Microsoft's operating system. Every time Microsoft comes out with a new version of Windows the changes are huge -- which is a good indication that after all these years they still have not figured out how to do it right... and the retraining needed is considerable especially for admins. On the other hand, once you learn how to use Linux, you have learned it forever because the underlying design has not and never will change, it just goes through incremental improvments.
I am speaking as someone who is an anti-virus and email expert and has been supporting Microsoft products since the days of Windows 3.0 and who actually worked at Microsoft for 5 years as a Test Engine
Some "[p]eople on the front lines of IT know how much damage Microsoft routinely and callously does with their updates. "
But not all. I've been in and around 100s of desktops and servers that have never had the problem. For me, the problem of "bad" microsoft updates is only hear-say.
SERVICE PACK 2 on CD
Wow- I have been discovering that many people are experiencing the same problems with updating their XP systems to Service Pack2.
Recently I started to advertise a PC repair service - it's all quite new and exciting for me if not a little scarey - Well I was called out to a guys PC running XP home - riddled with Virus's and SPyware - managed to clean the system - and the next step was to update it.
Well I armed myself with a Free copy of Service Pack 2 disk from "Computer Advisor". I figured this would be quicker than downloading the uodate - Popped it in - installed and restarted - then Froze on loading - Now this is my first job - wanted to do a good job and make a good impression.
Eventually had to resinstall - which was a pain as I spent nearly 3 hours cleaning it. Anyway I did so - on a clean drive - good - put SP2 in again - same again. Arrrggggg
So in the future I think it's best not to update Sp2 until there is a official Fix for the problem.
The other concern was that Microsoft talk about previous uodates before loading SP2 -
Now my argument is if people get them selves a copy of SP2 which is free with PC magazines- how do they know if their PC is updated enough to be ready to take SP2? you would think that the SP2 disk would check compatability - I might be wrong about this but it does seem if you download the uddate it seems fine because there are lots or security updates before they offter you SP2 to install.