Finding the time is the biggest security challenge
At the risk of repeating myself, I'll say: Security is a human problem, not a technology problem, and likely to get worse before it gets better.
Consider a case in point: The CERT Coordination Center at Carnegie Mellon University recently called a press conference to announce the discovery of and patches for vulnerabilities in Berkeley Internet Name Domain software running on many Domain Name System servers.
'We have taken this unusual step to ensure that managers secure their systems,' CERT manager Jeffery Carpenter said.
Reports of the exploitation of published BIND vulnerabilities have popped up long after fixes were available. Sophos PLC, a British antivirus software company, sees the same situation with viruses.
'We try to harp on safe computing practices,' said David Hughes, president of Sophos' U.S. operations. 'We've been amazed at how long it takes people to follow that advice.'
Theorizing that a physical reminder is more effective, Sophos sends a monthly CD-ROM about the latest virus signatures. Even so, the company's monthly top 10 list of viruses remains relatively constant, indicating that virus engines are not being updated or scans are not happening, Hughes said.
'We shy away from automated updates, because that means the customer is outsourcing what is put on servers,' he said.
SonicWall Inc. of Sunnyvale, Calif., takes the opposite tack. It offers a security appliance for small offices that provides firewall protection, antivirus scanning with automatic updates, virtual private networking and content filtering.
'We think there will be a big demand for outsourcing security,' said David Pasco, SonicWall's vice president of marketing. He said administrators lack time or expertise to keep up with the flow of patches for products that populate their networks.
The growing use of remote access also complicates network administration. It's hard to be sure all the software on a network gets patched if devices connect only on an ad hoc basis. And as always, there is an ongoing shortage of trained people.
Security will continue to be a people problem until better security is engineered into products and the personnel shortage eases. Administrators will continue fighting brush fires, and new viruses and hacks will be common.