It takes about six days for a hacker to create an exploit that takes advantage of an announced vulnerability. Moreover, between January 1 and June 30, 2004, there was an average of 48 new vulnerabilities per week – the equivalent of more than seven new ones a day. Some 70 percent of these vulnerabilities were considered easy to exploit, and 96 percent thought moderately or highly severe.
These trends, reported by Symantec in its sixth bi-annual Internet Security Threat Report and other findings from a very recently released business continuity survey by SunGard, bring to mind Edvard Munch's famous painting The Scream. Given the churning tornado of infosec issues menacing businesses on each passing horizon, I'm sure the painting is emblematic of what many security pros feel like as they try to secure their companies' critical data on a daily basis.
And it seems the stuff fuelling this increasingly scary internet weather pattern is never-ending, according to Symantec and other IT security companies.
So what are companies doing about the growing number of bots, the plethora of Windows vulnerabilities, rising Linux holes, phishing and spyware attacks, adware and the potential for mobile device malware?
Well, in a separate Harris Interactive Survey commissioned by SunGard Availability Services, the results of which were released in late September, not much.
The study revealed that C-level executives' perceptions about their abilities to recover from system interruptions don't match up to reality. While those surveyed gave themselves a 'B' average on their ability to access business-critical information quickly after a disaster, the actual results of the survey offered only a slight upgrade over last year's grade of C+.
Respondents, of course, voiced concern over power outages and other disruptions, but the survey showed a distinct rise in worries over hackers. And although 36 percent of executive leaders stated that their company considers computer hackers to be the biggest threat to business-critical information access, about one-third of those surveyed say they have failed to test systems they have in place to assure such access in the past six months.
Yet, according to the results, no increases in resources are being allocated to address these issues. And this is the crux of the problem. Without the resources, without buy-in from the top, without an overall security plan and business continuity program, companies will never be able to fight a growing whirlwind of attacks.
Even Munch had to confront his demons. In its play on the internet, the corporate world has plenty of these to overcome.
Illena Armstrong is U.S. editor
How prepared is your company? Email firstname.lastname@example.org