Threats posed by zero-day vulnerabilities were ranked by global IT decision-makers as their topmost security concern, according to a recent survey by security firm PatchLink Corp. Fifty-three percent of respondents put zero-day vulnerabilities as the No. 1 security concern, followed by hackers, cited by 35%, and malware and spyware, with 34%. PatchLink surveyed 250 of its customers worldwide in June 2007, including CIOs, chief security officers, IT directors and managers. "The prospect of zero-day attacks is extremely troubling for organizations," said Charles Kolodgy, an analyst at market research company IDC in Framingham, Mass. "Today's financially motivated attackers are creating customized, sophisticated malware designed to exploit unpublished application vulnerabilities in specific applications before they can be fixed." Many IT departments are spread thin and lack the resources to proactively defend against zero-day threats, and attackers are using this to their advantage, said Kolodgy. Hackers are also counting on the human element part of the security equation to help them accomplish their attacks, Kolodgy added. "User behavior is difficult to control, and many hackers rely on users' lapses in judgment to carry out their malicious activity," the IDC analyst said. Controlling user behavior was cited by 32% of IT executives as the primary challenge to vulnerability management. PatchLink also asked IT executives to rank the applications that they are most concerned about protecting, and Internet Explorer was cited by 83% of the respondents. Various Internet security threat reports had previously indicated a trend of an increasing number of attacks targeting Web browsers and Web applications, which could provide access to corporate networks. "Those vulnerabilities are often used in 'gateway' attacks, in which an initial exploitation takes place not to breach data immediately, but to establish a foothold from which subsequent, more malicious attacks can be launched," according to Symantec Corp.'s latest Internet Security Threat Report. If successful, vulnerabilities in Web browsers and Web applications can enable an attacker to install malware and subsequently gain control of a compromised system. Although 72% of respondents to the PatchLink survey indicated that they are now more secure than they were a year ago, IT executives remain wary of other risks that are in the realm of the unknown, according to Matthew Mosher, senior vice president for the Americas at PatchLink in Scottsdale, Ariz. "[IT managers] are now starting to look at more of these zero-day vulnerabilities because they don't necessarily think that they have a handle on that," explained Mosher. He added that the financial motivation driving hackers today has made IT executives more concerned about zero-day exploits. Brian Bourne, president of Toronto-based IT security consultancy CMS Consulting Inc., was surprised that zero-day vulnerabilities would concern many IT executives because such exploits are typically used for targeted attacks. Such concern may be out of lack of a complete understanding on how to protect against these threats, he noted. Bourne said that a defense-in-depth strategy is still "the right strategy" for protecting against zero-day exploits. He urged IT managers to subscribe to a vulnerability advisory list so they can get all updates on most recent zero-day discoveries. "Get the information right away to find out if it impacts you," said Bourne, adding that the first step is finding out whether your company even runs that vulnerable software. A good asset management system, which gives IT a clear indication of what software and hardware are running across the enterprise, will enable administrators to make a determination of whether they are vulnerable to a zero-day attack, Bourne added. Once it's determined that there is a risk, IT administrators can then make an effort to learn everything they can about the vulnerability, he said.
Return to internet news headlines
View Internet News Archive