Back to Clippings Index

Faster security updates urged
Microsoft timing panned at meet on security network
April 19, 2005
Toronto Star

Microsoft Corp.'s monthly security updates are a step in the wrong direction, according to a computer security expert who spoke at the NetworkWorld Conference and Expo in Toronto yesterday.

The software behemoth used to release computer code to fix security problems as soon as possible. But Microsoft started releasing patches in a monthly bulletin in 2003, in an effort to make the process more predictable.

"Five or 10 years ago, 30 days was a decent time window," William Young, a senior security architect for Sourcefire Inc., said yesterday at a LinuxWorld and NetworkWorld joint conference at the Metro Toronto Convention Centre.

But now, the monthly update cycle effectively gives hackers weeks to attack insecure computer systems, Young said.

The time between identifying a potential problem and an attack has "significantly decreased" in the past few years, putting businesses at a real disadvantage in their battle against intruders, said Young whose Columbia, Md.-based company makes computer intrusion detection software.

Carol Terentiak, security strategy and response manager for Microsoft Canada, said the decision to move to a monthly cycle was based on customer feedback and she said the response so far has been positive.

Moreover, the company isn't completely locked into a monthly schedule.

"We have issued out-of-cycle updates when we know that our customers are at risk because there is a vulnerability," she said.

While Young has some concerns about Microsoft's security cycle, he said people shouldn't delude themselves into thinking they are safe simply because they are running the Linux computer operating system, an alternative to Microsoft's Windows system.

People often mistakenly assume the Linux operating system is more secure, he said, because fewer viruses target the operating system.

Linux might be "open source" - meaning the computer code can be modified by any programmer - but Young said that doesn't make it totally secure.

"There are more eyes on the code, so it is more likely a fault will be discovered," he said. "But regardless of the network environment, there are fundamental processes that are required for proper security."

Computer firewalls, which block unwanted communications between the Internet and the company's internal network, are important. Monitoring activity within a corporate network is also essential, since so many security problems come from within.

Employees using laptops present a real challenge, Young said. A company might be able to initially ward off a computer virus by ensuring all desktop systems at work are protected. But often no one updates the software on laptops or scans them for viruses.

Legitimate users also frequently install software on their office computer without checking with the computer security team. Seemingly innocuous software, such as instant messengers, can pose real security threats.

That's why Young said it's essential that computer security specialists constantly monitor everything installed and transmitted over the corporate network.

Sometimes, all it takes to break into a corporate computer network is a couple of pizzas. Young is often hired to try to infiltrate a computer network by any means possible. In one instance, he simply bought a bunch of pizzas for the information technology staff several days in a row, saying they were courtesy of management for all their hard work. On the final day, the security guard recognized Young as the pizza delivery guy and buzzed him into the data centre without an escort.

"If your system got broken into, it's probably because you left the keys in the front door," Young said.

Back to Clippings Index