‘What you don’t know won’t hurt you,’ goes an old saying. In IT security, however, what you don’t know can hurt you, according to security experts.
Awareness of a security flaw allows organizations to proactively defend against possible attacks, even in the absence of a patch to correct the flaw, said Craig Andrews, director for sales engineering, Symantec Canada in Toronto. “But unless you know about (the threat) how can you take those actions?”
There are several steps companies can take to protect against attacks on an unpatched vulnerability, he said. Updating firewall and other filtering technologies, for instance, can put extra defenses around the known flaw while awaiting the patch, he said.
Ensuring that all backups are complete and updated could also mean survival in the event of a successful attack, he said.
When it comes to disclosing security flaws, software vendors vary in their disclosure policies. One thing is certain, though, the risk of not publicizing a known vulnerability is higher than the risk of publicizing it, said Andrews.
Microsoft Corp. may take the most heat on security vulnerabilities, but users and analysts believe other software vendors need to catch up when it comes to dealing with flaws found in their products.
Last month, Oracle released a quarterly roundup of software patches designed to fix 82 vulnerabilities. Cisco Systems Inc. also issued patches in January for several flaws affecting its routers and Call Manager software, and EMC Corp. released a set of patches for its NetWorker backup software.
Such disclosures highlight the fact that Microsoft isn’t the only vendor with security problems, said Steven Gelfound, IT director of the U.S.-based National Center for Missing and Exploited Children. But because of its huge user-base, Microsoft typically “causes the most pain.”
“Microsoft is held to a higher standard, which lets other vendors get away with practices that Microsoft would have been creamed for,” said John Pescatore, an analyst at Gartner Inc. Oracle rarely divulges the details of the vulnerabilities in its products as completely as Microsoft does, he said.
Other vendors also haven’t been as forthcoming as Microsoft in sharing vulnerability information that can help users mitigate their exposure to threats, said Michael Sutton, director of VeriSign Inc.’s iDefense Labs unit in Reston, Va.
Last July, Cisco won a court injunction preventing a researcher from discussing a hack of its router software. Last March, Sybase Inc. issued, and later dropped, a threat to sue Next Generation Security if it published details on eight security flaws in Sybase’s database software.
Oracle’s decision to limit the amount of vulnerability information it discloses is driven solely by the interests of Oracle users, said Duncan Harris, Oracle senior director of security assurance. He said more complete disclosures only increase the security risks faced by users.
Cisco, meanwhile, plans to continue releasing security fixes as they become available, instead of waiting for periodic updates, said Mike Caudill, Cisco’s product security incident manager. Cisco has a long tradition of working with security researchers who find vulnerabilities in its products, but researchers need to be more consistent in the manner by which they disclose those flaws to the vendors, Caudill added.