If you've ever had consultants perform a security audit on your network then you know all about the “gotcha report.” That's what security wonks call the big, thick, overwhelming document handed over after an audit that shows the results from automated scans used to pinpoint the thousands of vulnerabilities and likely attack points on your company's network.
Unfortunately, it's about as useful as a “to-do” list that's 60,000 items long.
“Security auditors love to run those big, fat gotcha reports. They think they're proving that systems administrators don't know anything,” said Alan Paller, research director at The SANS Institute. “But knowing about those 60,000 things doesn't help you solve the problem. All it's doing is flooding you. So, like an engine, you don't start.”
The mind-numbing extent of the problem is why Gartner can so confidently predict that 90 per cent of the expected cyberattacks on businesses this year will take advantage of known, well-documented vulnerabilities. That's right. Holes in your network, gaping open and inviting invasion by anyone from script kiddies to criminal hackers. The Code Red and Nimda viruses, which together cost businesses billions of dollars in losses worldwide, both exploited known vulnerabilities.
But what if the massive to-do list for securing networks could be trimmed to a manageable size? What if somebody not only pointed out the flaws but also supplied fixes?
That's what happened last week, when the General Services Administration released its third annual list of the top 20 Internet security threats plaguing both Windows and Unix systems. The list, created by the FBI and The SANS Institute, had a truly notable difference: workable, practical solutions presented alongside the problem.
Standing up with the feds at the announcement in Washington were representatives from a handful of private-sector security companies that specialise in network vulnerability testing. They were ready with a bunch of tools and services - both commercial software and freeware — already updated to check for the latest top 20 threats. This kind of public/private partnership sets a great example, and one that our industry should applaud.
But we can't stop there. The fact that so much software, the majority of it from Microsoft, ships in a state of deplorable security is no longer acceptable. Better scanning tools and comprehensive lists of common vulnerabilities are a fine and necessary defence, but what about the offence? Patricia Keefe has said it here before, but it needs to be said again — and again. The IT community needs to raise its collective voice and lower the financial boom by refusing to buy products that aren't secure right out of the box.
It's widely believed in government circles that the massive buying power of certain federal agencies — and the threat of that financial tap being turned off — was the real reason Microsoft officials suddenly got security religion earlier this year. Money does talk, and we know what walks.
Are you using the buying power of your IT organisation to apply the same pressures to your vendors? Have you made secure systems a condition of doing business with your firm? Have you established your own baseline security standards, endorsed and supported all the way up through the CEO? These are key questions to keep in mind as you examine any new products, particularly wireless ones.
Maryfran Johnson is editor in chief of Computerworld in the US.