ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security management Toolkit

Ex-cybersecurity czar warns that complacency could lead to disaster

David Berlind ZDNet.com

Published: 24 Oct 2003 12:30 BST

Richard Clarke has more bad news for IT execs.

During his tenure as White House cybersecurity czar, Clarke was frequently criticised for his "sky-is-falling" attitude. Indeed, Clarke claims that the Sobig attack brought down a chunk of sky and that his warnings should have been taken more seriously.

If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 in Florida this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.

Noting that the conference's location (Disney World) might be appropriate because "only in fantasy land can everything you have be secure," Clark identified five trends that don't bode well for those trying to deal with cyber attacks.

The first of these trends has to do with the number of software vulnerabilities. After assimilating data from sources such as Bugtraq, the SANS Institute, and the vendors themselves, Clarke said the number of announced vulnerabilities has doubled every year for the last three years. "At this point," said Clarke, "we're now seeing as many as 60 new vulnerabilities per week."

A second trend that closely tracks the first, according to Clarke, is the number of patches for those vulnerabilities, which also has doubled every year for the past three years. Patch management is a road full of potholes.

"No sooner do the patches get applied, then they have to apply another one," Clarke said. "CIOs want these patches applied but have no idea what the effect of the patch will be on their systems, so they're reluctant to put them on quickly. Also, they want to wait until they have a bunch of patches first, and then test them before deploying them. But, during the wait period, they're vulnerable and some have been successfully attacked in that window."

The third trend Clarke is watching is what he called the "time to exploit". This is a measurement of the elapsed time between the moment a vulnerability is announced and when the corresponding exploit makes its first appearance on IRC or some other chatroom. Said Clarke, "It's gone from months to weeks to days, and now it's about six hours.

1 2 3

Did you find this article useful?
220 out of 408 people found this useful

Post a comment

Full Talkback thread

0 comments

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.