The Microsoft IIS 5 security flaw has been dealt with. Although hackers had a few hours - and in some cases, days - to attack vulnerable sites, the majority of servers have been patched and are ready to defend the onslaught. Those that aren`t patched deserve attack.
[VIDEO]Although this vulnerability took on a high profile, it is merely one of the 40-odd network security vulnerabilities that are discovered every month.
On average, more than one method to attack IT infrastructure is discovered a day. Simply keeping up to date with the latest security threats, and guarding against them, is a full-time job. For IT managers also tasked with maintaining desktops, installing software, and keeping the networks up and running, it is an impossible task.
For technology vendors, these vulnerabilities are a two-edged sword. When discovered, the vendor can either make as much noise as possible to encourage its users to patch as quickly as possible, or try to hush the problem up.
Placing blame
In the case of alerting the public, it faces the knowledge that it is also giving every hacker on the Net a roadmap of how exactly to get into its customers` systems. Not all of the customers will install the patch in time. Some won`t install it at all. They will get hacked, and the vendor will get the blame.
When discovered, the vendor can either make as much noise as possible to encourage its users to patch as quickly as possible, or try to hush the problem up.
Jason Norwood-Young, Technology editor, ITWeb
If the problem is hushed up, no precautions will be taken to guard against the attack, and eventually a hacker will discover the hole and use it. The next version of the product may contain a patch, but between discovery date and the installation of the next version, the customer is at great risk.
Most vendors seem to prefer the first approach - making security holes public. It may cause users a great deal of stress, but it is certainly the only approach that the media accepts as valid. Us media types are all for full disclosure and transparency, simply because it makes our jobs that much easier. In other words, the decision on whether to publicly announce a new security hole is based purely on marketing and PR.
I don`t believe this is the last time that we will see the IIS 5 flaw being put to good use. Every new installation of IIS 5 - which is included on the Windows 2000 disk - will require a patch.
More of the same
Somewhere along the line, someone is going to forget about it, or a newbie IT administrator will not even be aware of it. In a few months, there will be a host of new systems that are unsecured, and hackers will have a field day.
The same goes for any other security flaws. System reinstallation is not uncommon, and users cannot be expected to patch every known hole every time they reconfigure or reinstall a system. Add this to all of the new vulnerabilities being discovered, and suddenly the term IT security becomes an oxymoron.
Perhaps secrecy is the best policy. Sure, it doesn`t make for the best PR, but at least it doesn`t put all of the knowledge needed to break a system into the hands of hackers. The good hackers will break into your system regardless of your security measures, and at least not every script kiddie will have the keys to the backdoor.
Share