Wake-up call for CIOs as Symantec flaw outed |
 |
By Linda Tucci, Senior News Writer
31 May 2006 | SearchCIO.com |
|
|
What do you do when a security vendor becomes a potential vector for malware? Besides shake your head over the irony of it.
CIOs should demand more from their security vendors, for starters, said analysts. Farsighted IT organizations will also make sure security is part of their evaluation process for purchasing all their commercial software.
|
|
|
|
|
[CIOs] have to demand that their vendors take greater care and better due diligence in their security development processes.
Amrit Williams
analyst, Gartner Inc.
|
|
|
|
|
|
|
|
|
|
"The world is changing. We now have a digital environment that is very hostile, and the attacks are not just against Microsoft. They're against everything," said analyst Amrit Williams, who covers security for Gartner Inc. in Stamford, Conn.
"CIOs need to add security to the criterion they use to evaluate all the software vendors they do business with. They have to demand that their vendors take greater care and better due diligence in their security development processes," Williams said.
The advice comes in the wake of last week's news that Symantec Corp.'s antivirus software for business customers, Symantec Client Security 3.0 and 3.1 and AntiVirus Corporate Edition 10 and 10.1, contained critical flaws that could allow a remote or local attacker to steal data, delete files or embed malicious code. Intruders looking to exploit the vulnerability could gain access without the user doing anything, making for a scary situation.
The flaws were made public last week by researchers at rival security vendor eEye Digital Security Corp. in Alieso Viejo, Calif., before a fix from Symantec was available -- a move some industry experts decried as irresponsible. The unwritten protocol is that researchers give developers at least seven days to fix an error before the vulnerability is disclosed.
Cupertino, Calif.-based Symantec said its engineers worked nonstop to fix the flaws, providing intrusion prevention system signatures and a patch over Memorial Day weekend. No exploits of the vulnerabilities were detected.
The exposure could have been a "huge problem" if the flaws were in Symantec software used by consumers rather than business customers, said security analyst Natalie Lambert, who covers Symantec at Forrester Research Inc. in Cambridge, Mass. "Enterprises today are every good at keeping their systems updated. The fact is that most companies have the means to deal with this," she said.
But the Symantec incident drives home the point that security is "much more than antivirus products," Lambert said. "I am a big proponent of client security suites, or products that have multiple security functions, antivirus, antispyware and personal firewalls. Symantec clients who have defensive depth will most likely have caught any vulnerability."
Gartner's Amrit Williams said that minus an exploit, CIOs were able to treat the Symantec flaw like any other software vulnerability, monitoring the vendor site and downloading the patch when it became available. That said, he drew a sharp distinction between a vulnerability found in a software application and a flaw that potentially turns a security vendor into a vector for malware.
"It's one thing for Microsoft or any other commercial software to have a flaw in their product. When it happens to the security products that we spend money on to protect us, there should be outrage by the consumers of that technology," Williams said.
While security companies are certainly driven by the same bottom-line pressure as other businesses -- making money, he said, "They are in a unique position because we are looking to them to protect us, and they need to understand that they are held to a higher standard."
Let us know what you think about the story; e-mail: Linda Tucci, Senior News Writer
|
|
|
|
