Network Middle East electronic edition 8th August, 2005

  • E-Mail
By  Simon Duddy Published  August 6, 2005

Security scare|~||~||~|The contemporary security landscape is a very dangerous place with vendors and end users increasingly nervous. It makes this writer yearn for the simpler days of the late 1980s when the Yankee Doodle virus shook the PC world by infecting PCs and well, playing Yankee Doodle. These days, hackers tend to have much more criminal intent and work stealthily to undermine enterprise networks and PCs. The first a user may know of an attack is when the network is down or when someone has cleaned out your internet banking account. This increased threat has created a new level of twitchiness and paranoia among end users and IT vendors, which came to a head recently when Cisco slapped an injunction on Michael Lynn, an IT security researcher, stopping him from continuing to publicise a security flaw in the internetworking operating system (IOS) found on its routers. Conspiracy theorists have not been slow to suggest that Cisco was striving to keep router flaws out of sight for selfish reasons, while the networking giant has stressed that it had no problem talking about the flaw and simply felt that disclosure should occur after the proper procedure had been followed. I suspect the initial reaction of the typical enterprise IT manager is that they would prefer to know about any flaws or potential risks to the network, however the issue is not that simple. Disclosure not only warns enterprises to patch systems, it alerts mischief-makers of vulnerabilities that can be exploited. Unfortunately hackers and virus writers often approach their endeavours with greater speed and enthusiasm than IT professionals patching systems in a data centre. This is why many systems get caught by worms and hacks despite fixes and patches being available. Cisco was able to promptly release a fix for the problem, so the savvy enterprise should not be in danger. However, had the vendor not been able to publish a fix before exploits became available, the internet could have been hit hard, with a resulting cost of many millions of dollars to customers and vendors alike. The stakes are steadily rising in the security business with small coding errors sometimes costing millions of dollars. Antivirus software vendor Trend Micro lowered its revenue and profit forecasts for the quarter running from April to June 2005 because of a bug in its software. The firm estimates that the mistake cost the firm up to US$8 million. Whether you think he is a freewheeling chancer or a brave whistleblower, this increasingly serious atmosphere is likely to see the marginalisation of characters like Michael Lynn. Some commentators fear the corporate heavy-handedness shown by Cisco could lead to vendors using interminable procedure to bury potentially damaging flaws. Taken to an extreme this could create a more dangerous environment for enterprises, for while hackers may be able to sniff out the secrets of gagged security researchers, an Abu Dhabi-based IT manager will not. Obviously this is a risky high wire act to perform and if either vendors or security researchers put their own interests above those of the wider internet community, there is the potential for disaster. Much can de done, though, to improve the situation including boosting ethical awareness among security professionals. For the vendors, the ultimate accountability rests with the users. Simply put, if products and solutions fail to live up to promises and businesses take a serious hit, then the vendor is likely to be history for that customer and their reputation in the sector will also be seriously damaged.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code