The fact is that security has become too important to be left to security professionals. In your home or in a very small business, you have no choice but to take responsibility for the simple reason that no one else is going to do it. But even in an enterprise where information-technology professionals are in charge of security, nontechnical executives should be keeping an eye on what's being done. After all, it's not just the IT managers who are going to take the heat if hackers disrupt business by shutting down systems or causing a loss of confidential data.
That's why everyone who uses a computer should be keenly aware of a new report from the SANS Institute, a Bethesda (Md.) security research and education cooperative. SANS identified more than 600 new Internet vulnerabilities during the first three months of this year and published a list of the top threats on May 2. SANS doesn't list the viruses or worms that exploit the weaknesses. Instead it focuses on the underlying software problems (see BW Online, 5/2/05, "Your PC's Many Security Holes").
DEVASTATING INTERACTIONS. In selecting the top vulnerabilities, SANS uses five criteria: The problem must affect a large number of users. It must remain unpatched on a substantial number of systems. It must allow the takeover of a computer by an unauthorized remote user. There must be enough information about the flaw available on the Internet to let attackers exploit it. And it must have been discovered or first patched during the first three months of the year.
To no one's surprise, Microsoft's (MSFT
) Windows operating system and its components lead the list, with eight separate vulnerabilities affecting a broad range of products, from the new Windows XP Service Pack 2 to the decade-old Windows NT 4.0. In fairness, Microsoft has issued fixes for all the problems, and the list simply emphasizes the importance of keeping up-to-date with Windows updates. Except for large organizations that can distribute updates through their own automated systems, the best way to do this in Windows 2000 or any newer version is to configure Windows Update to download and install patches automatically.
Sometimes vulnerabilities can interact in devastating ways. One of these came to light in March, when attackers found a way to corrupt certain Microsoft and Symantec (SYMC
) software on "domain name service" (DNS) servers that convert a Web URL like www.businessweek.com to its numeric equivalent. A compromised server would redirect any Web page request to a malicious Web server that could then exploit a different flaw to load hostile software on an unprotected computer. Individuals can't do anything about the attack on DNS servers, but they can mitigate its effect by making sure their own PCs are up-to-date and running antivirus and anti-spyware programs.
TAKE CONTROL. Even security software isn't immune to attack. Antivirus products from Symantec, F-Secure, Trend Micro (TMIC
), and McAfee (MFE
) all turned up with problems -- quickly fixed in each case -- that could allow a remote attacker to take control of a computer running the affected software. Other serious flaws cited by SANS affected Real Networks' (RNWK
) RealPlayer, Apple's (AAPL
) iTunes, and AOL's WinAmp media players, plus server software from Computer Associates (CA
) and Oracle (ORCL
In short, if you're using software -- and if you're reading this you are -- the SANS report deserves your attention. Wildstrom is Technology & You columnist for BusinessWeek