IT managers at the InfoSec 2003 conference in New York last week are starting to view so-called zero-day attacks, which take advantage of software vulnerabilities for which there are no available fixes, as a major threat to data security.
More than ever, the threat of such attacks underscores the need for companies to set and then require the use of safe configuration policies for the packaged software and homegrown systems they use.
Attendees also stressed the importance of having well-developed patching and incident-response capabilities to help minimise the havoc that attacks could wreak.
Joseph Inhoff, a Lan administrator at Lutron Electronics, said that because zero-day attacks seek to exploit security holes in software products before suppliers can plug them, the potential for damage is something that his company's management is especially worried about.
Inhoff attended the InfoSec show to see how automated patching software could help his company respond to zero-day attacks once patches are released.
No major zero-day attacks have been launched so far. But IT managers are unlikely to have the luxury of being able to put off needed security improvements for long, warned Mary Ann Davidson, chief security officer at Oracle.
"You can see that the time lines are collapsing," Davidson said, adding that the trend suggests that it is only a matter of time before users start seeing attacks against flaws that have not yet been disclosed, or ones for which patches have not yet been released.
The number of new vulnerabilities and exploits surfacing on IT security discussion forums and mailing lists are another indication that such attacks are not far off, said Todd Kunkel, network system security administrator at Adelphi University.
Kunkel monitors discussion forums to try to keep abreast of new security threats and determine whether work-arounds are possible before attackers exploit the flaws. "I try to find out if there's anything that I need to worry about and see how I can go about fixing it," he said.
The relatively slow pace at which some companies patch their systems against security holes makes them attractive targets for zero-day attacks as well as conventional ones, said Gerhard Eschelbeck, chief technology officer at Qualys, which provides vulnerability assessment services.
Every three months, Qualys performs more than one million vulnerability scans on behalf of 1,300 clients and "several thousand" prospects. Eschelbeck noted that one scan done last month identified more than 12,000 systems that were vulnerable to a Windows remote procedure call flaw for which no patches were available at the time.
The consequences of zero-day attacks are "potentially devastating" for companies that have not developed contingency plans for rapidly responding to them, said Dennis Brouwer, a senior vice president at SmartPipes, a provider of managed network services.
The only option that IT managers may have if they are caught unprepared by an attack is to shut down their systems and restart, Brouwer said. "It's almost like the response after 9/11," he noted. "The first thing you do is to get all your airplanes on the ground."
Jaikumar Vijayan writes for Computerworld