Ex-cybersecurity czar warns that complacency could lead to disaster
Published: 24 Oct 2003 12:30 BST
Richard Clarke has more bad news for IT execs.
During his tenure as White House cybersecurity czar, Clarke was frequently criticised for his "sky-is-falling" attitude. Indeed, Clarke claims that the Sobig attack brought down a chunk of sky and that his warnings should have been taken more seriously.
If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 in Florida this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.
Noting that the conference's location (Disney World) might be appropriate because "only in fantasy land can everything you have be secure," Clark identified five trends that don't bode well for those trying to deal with cyber attacks.
The first of these trends has to do with the number of software vulnerabilities. After assimilating data from sources such as Bugtraq, the SANS Institute, and the vendors themselves, Clarke said the number of announced vulnerabilities has doubled every year for the last three years. "At this point," said Clarke, "we're now seeing as many as 60 new vulnerabilities per week."
A second trend that closely tracks the first, according to Clarke, is the number of patches for those vulnerabilities, which also has doubled every year for the past three years. Patch management is a road full of potholes.
"No sooner do the patches get applied, then they have to apply another one," Clarke said. "CIOs want these patches applied but have no idea what the effect of the patch will be on their systems, so they're reluctant to put them on quickly. Also, they want to wait until they have a bunch of patches first, and then test them before deploying them. But, during the wait period, they're vulnerable and some have been successfully attacked in that window."
The third trend Clarke is watching is what he called the "time to exploit". This is a measurement of the elapsed time between the moment a vulnerability is announced and when the corresponding exploit makes its first appearance on IRC or some other chatroom. Said Clarke, "It's gone from months to weeks to days, and now it's about six hours.
Previous
Did you find this article useful?
220 out of 408 people found this useful
- Share this article:
