For anyone involved in IT, there was no excuse for not already attending to the problem. A steady stream of internet-borne viruses and revelations of new software vulnerabilities should have put them in a state of vigilance.
I’ve been kept in that state since the middle of July by an alert service which has been sending me a handful of messages each day warning of some new threat. This has been courtesy of E-Secure-IT, run by Auckland company Co-Logic. In one way it’ll be a relief that my trial subscription has come to an end — there’ll be that much less email for me to attend to. I admit that’s the kind of a head-in-the-sand response that helps propagate email viruses. But the lasting effect of having seen the volume of threats of the past few months is that I reflexively delete messages of unknown origin that come with attachments.
Microsoft software is implicated in many security scares and a quick scan of the 230 alerts I’ve filed away reveals Microsoft is involved in about 45% of them. This is far and away more than any other software maker. Linux and Unix are the subject of about a dozen alerts and Sun a slightly lesser number. The Macintosh platform is hardly represented in the statistics.
I’m not suggesting this is a scientific analysis of security threats. Microsoft inevitably merits greatest attention because most people use its software. By the same token, the world’s biggest software maker certainly needs to do a better job of making its products secure.
Analyst Gartner stated it plainly in September, suggesting that abandoning Microsoft’s Internet Information Server (IIS) was a quick way of reducing security vulnerability. This was a response to the Nimda and Code Red viruses, which exploited IIS weaknesses. Microsoft bit back, saying IIS was no more vulnerable than any comparable product.
Now another analyst, Forrester, has come out saying dumping IIS is not the answer, respresenting as it does about 25% of web servers on the internet. Forrester urges organisations to change their administration practices. One of its recommendations is to use diverse platforms for critical systems.
It’s staggering, also, that many organisations still don’t do the basics. A Computerworld source who employed a port scanner to look for open Microsoft SQL Server installations on New Zealand websites found six out of 10 were not password-protected.
I had a recent reminder in another context of how useless the fanciest security systems are if humans don’t play their part. A few days after September 11, I went to check in for a domestic airline flight. To my dismay – and the embarrassment of the Air New Zealand counter staff – I found that I’d been checked in already, as had the two people I was travelling with.
This was completely unaccountable. Yet the ticketing system plainly recorded the fact that we’d already been issued with boarding passes. Consternation all round. A supervisor was called. Our tickets were scrutinised and found to be in order. Heads were scratched; eyebrows raised; brows furrowed. Despite lingering scepticism, the ticket issuer accepted we were who we claimed to be. Then the reluctant admission was made that, despite the fact that checking-in travellers were required to show ID, three people had been able to do so under our names.
More whispers between supervisor and counter staff. Smiles followed. An explanation had been found: it was human error. Your surnames had the same initials as the three people wrongly checked in. Sorry to doubt your identity.
Somehow, as I shuffled toward the plane through the newly installed metal detector, I did not feel reassured.