Death, Taxes, and Human Error …
by Mark Shavlik

October 2003 Issue

In 1789, Benjamin Franklin noted, "In this world nothing is certain but death and taxes." Were he living in today's technology-driven world, he most certainly would have added "human error" to the list. Because, although technology has brought tremendous advancements in all areas of life, the technology systems we rely on are susceptible to the certainty of human error, which leaves consumers and companies open to risk and liability.

Take Windows Server 2003, for example. Released in April 2003, it is truly a state-of-the-art server operating system. True to its word, Microsoft ramped up secure development efforts and increased the focus on building security into its products. Only three months after Windows Server 2003's launch, however, the first vulnerability allowing the potential for unauthorized code execution was identified and patched. Don't get me wrong-the fact that a product such as Windows Server 2003 even exists is an amazing feat, and Microsoft isn't alone in the battle to create secure products. But with millions of lines of code, the certainty of human error in our programming environments is simply a fact of life, and it's a driving force behind the need to stay on top of proper security management, regardless of who builds the software.

Mark Shavlik

We'd all like to believe these flaws are essentially harmless. But even Franklin understood that "a little neglect may breed mischief." Translated to 21st-century techno-speak, this quote applies to communities of malicious code developers who wait for software flaws to be exposed, then develop worms to take advantage of the weaknesses. Recent worms such as SQL Slammer and Code Red spread across the Internet like wildfire, causing widespread server failure and Web slowdowns. According to post-worm reports, SQL Slammer spread faster than any other worm, infecting the majority of vulnerable systems within 10 minutes of appearing and eventually impacting some 75,000 hosts. This underscores the fact that most systems are hit before a worm is even identified, so being reactive to attacks isn't really an option.

Aside from remote attacks such as worms, user-activated attacks-triggered by following a link in an e-mail or on a Web site-can be just as devastating. In both cases, a business that is attacked successfully will likely suffer significant lost productivity, huge IT costs to get systems back online, infringements on privacy and security, and an increased liability risk. ICSA Labs' Virus Prevalence Survey in April 2003 reported that companies hit by viruses in 2003 estimated it took them between 20 and 23 days to recover fully, and the remediation costs rose to approximately $81,000 per incident. For some companies, these costs might be merely an inconvenience, but for others it can mean financial disaster and the loss of a professional reputation.

That's why proactively managing vulnerabilities as they become known is a company's best defense against successful attacks. Traditionally, IT managers have viewed security management as a tedious, manual task that's impossible to keep up with and too time-consuming. But the tools available today have eliminated many of the manual aspects of security management and offer extensive features to help users understand, test, and apply the right patches.

The most effective patch management solution should make patch scanning and remediation extremely straightforward, as well as accurate and secure. Important features to look for include auto deployment, offline support, knowledge management features such as patch annotation, a shared back-end database to facilitate collaboration, and patch-management tracking to compare progress against existing enterprise security initiatives.

If you're skeptical about price, consider that an effective patch management solution with all these features is inexpensive when compared to the cost of lost productivity, reactive maintenance, and liability. And with patch management in place, networks, applications, and all the important information within are 100-percent more protected than without it. So, with one last piece of Franklin-inspired advice: Get patching, because "by failing to prepare, you are preparing to fail."

About the Author
Mark Shavlik founded Shavlik Technologies in 1993 to provide tools for secure application design and development. He has more than 20 years' experience in the IT industry, including tenure as a senior systems designer and development project leader in the Microsoft Systems group and as an original member of the Windows NT development team.