The troubling state of IT security revealed last week by the SANS Institute's report on Internet vulnerabilities should be an eye opener to anyone responsible for computer systems in business. We learn that, despite all the resources that have gone into protecting IT systems, they're now susceptible to new kinds of threats. It's a reminder of just how precarious IT security has become. If only more people believed that.

As discomforting as the SANS report is, here's something that's equally worrisome: Many IT professionals don't sense a heightened risk. One surprising result of InformationWeek's annual security survey, conducted four months ago, was that a majority of the 2,540 U.S. security professionals and business-technology managers we surveyed, inexplicably, didn't feel that IT security had become more tenuous.

We asked the question this way: "Is your organization more vulnerable to malicious code attacks and security breaches than it was a year ago?" Only 16% believed that was the case. Everyone else responded that their security exposure was no worse or about the same. I hope they're right. But the evidence doesn't seem to support it.

Rewind to earlier this year. In a Jan. 17 story titled "Machine Wars," (Jan 17, p. 54), InformationWeek editor at large Thomas Claburn chronicled the rise of automated attacks on the Web: "With increasingly sophisticated automated tools, [cybercriminals] can ply their trade on autopilot, from anywhere in the world."

On one day in February, Microsoft issued a dozen security bulletins addressing 17 vulnerabilities in its software. To repair all the vulnerabilities in all affected products would require more than 60 patches in English-language computers alone, we reported in "You Call This Trustworthy Computing?" (Feb. 14, p. 20).

In August, the Zotob worm was unleashed, infecting Windows PCs in more than 175 companies. Some people referred to Zotob as the first "business worm" because of its preference for workplace computers. Claburn, in an Aug. 29 story "The Threats Get Nastier," (Aug. 29, p. 34) summed up the trend as follows: "Cyberattacks are shifting from adolescent, attention-seeking nuisances to professionally executed, targeted probes for financial gain."

Recent data from InformationWeek Research shows that the security situation is even worse in China. As more U.S. companies expand there, data defense gets more complicated still. (See "IT Security In China Shows Cracks," Oct. 31, p. 47.)

And InformationWeek reported Nov. 7 that Cisco's Internetwork Operating System is becoming a growing target, too. ("The Next Big Target," Nov. 7, p. 36.)

All of this is the backdrop for last week's SANS report, which identifies the 20 most critical Internet security vulnerabilities of 2005. The key finding is that hacker targets have changed; applications and network devices are now in vogue. (See "New Path Of Attack," p. 28.)

Taken together, you begin to get the full, unsettling picture of information security today. Automated bot attacks, Windows bulletins by the dozen, a new breed of business worms, risk of heap overflow in Cisco's IOS, the underground's new fascination with unpatched holes in 20 types of applications and devices. And that doesn't even include problems caused by spyware or phishing, or customer-data breaches, or the complications of wireless networks and devices, or CDs with hidden rootkits, or the Sober worm variants spreading again.

With all of this going on, how do you explain the fact that so few security and IT professionals feel things have gotten worse? It's possible they have systems in place to ward off ill-intended probes, keep software patched, and protect customer records. Maybe the bullets are bouncing off. That, or maybe security at their companies isn't as good as it seems.

John Foley,
Editor
[email protected]

Bob Evans returns next week.

To discuss this column with other readers, please visit John Foley's forum on the Listening Post.

To find out more about John Foley, please visit his page on the Listening Post.