Almost 75 percent of UK companies still do not have adequate protection against the type of attacks used by worms such as MSBlast or Nachi, according to a survey by security company Network Associates (NA).
The firm interviewed 200 IT directors from medium to large firms in Europe during August, a period which coincided with the outbreak of several malicious viruses and worms that exploited vulnerabilities in Microsoft's Windows operating system.
Christopher Thompson, vice president of marketing at Network Associates, told ZDNet UK he was concerned about the number of companies -- especially in the UK and the Netherlands -- that admitted to not having protection against blended threats. These exploit an existing vulnerability to gain access to a system, then deploy a malicious payload.
According to the survey, 42 percent of UK companies are unprotected against blended attacks while 38 percent have no plans to protect themselves. "This means somewhere close to 70 percent probably have inadequate protection strategies against blended threats," Thompson said. "That is a dangerous place for companies to be and it tells me the risk to companies is growing, not shrinking," he said.
Thompson also said he was surprised by the general lack of awareness about security issues during a period of so much viral activity: "You would think that after Slammer, Lovsan, MSBlast, Nachi and Sobig, there would be a heightened state of awareness. We were surprised by the relative level of preparedness and the variations between different countries in Europe," he said.
The survey also revealed that there is a significant difference in attitudes towards security between European countries. Companies in Germany, France and Sweden tended to adopt a proactive policy, whereas in the UK and Netherlands companies opted for a reactive policy. "The UK and Netherlands are spending most of their time reacting to things that happen -- such as applying patches and fixing security vulnerabilities," said Thompson.
More than half of companies in Germany and the Netherlands discuss security issues at board level, whereas in France, only 25 percent of respondents said the subject of security was discussed during board meetings. The UK ranked slightly higher at 35 percent. Although the situation is dangerous, Thompson said it is an improvement over 2001. "The good news is that this is now being discussed, which is an improvement to what we were seeing 18 months ago," he said.
In the past, security companies have been guilty of "over-promising and under delivering", Thompson admitted, but he blamed Microsoft for some of the problems. For example, he said, there is no reason that the "buffer overflow" vulnerabilities frequently discovered in Windows should even exist. "Buffer overflows are the result of sloppy programming -- it is shoddy workmanship," he said.
Earlier this month, Microsoft announced it has enhanced the memory protection in Windows XP in order to reduce the operating system's vulnerability to buffer overflow exploits, but the enhancement will only be available as part of Service Pack 2, which will not be available until next year.
Talkback
Unfortunately this report comes as no surprise to me. Executives and board members are by in large still only paying lip service to the information security needs of their companies. They still cling to the notion that information security is a cost center and not a differentiator. They are still holding onto the outmoded thinking of trying to attach a return on investment as apposed to using risk management methodologies. We in information security are going to continue to struggle until there is either a basic change in attitude or a heavier regulatory environment is thrust upon us. Market forces may have moved vendors towards more secure products but those forces have not moved companies to take a more secure approach to their own environments as it evidences by this report.