The proliferation of computer virus attacks-including outbreaks of Blaster and SoBig.F-at the end of the summer reminded the business world of the persistence of the systems security problem. While IT security professionals are paying more attention to the threat, countermeasures are often onerous to implement and questions are being raised by industry security experts about the vulnerability of the Microsoft platform.
The main problem for many organizations is simply keeping up with the number of threats, the speed with which viruses attack, and the number of patches they must test and deploy to protect their systems.
Regulatory compliance and reputation concerns make financial services firms especially scrupulous about defensive measures, and generally better prepared. But even when the threat is clearly understood and a patch is available, security managers can face resistance. At Prudential Financial (Newark, N.J., $422 billion in total assets), which has offices in more than 25 countries, some business units didn't want to take the time to install software fixes. "They were questioning why we were putting them through this patching misery," says Ken Tyminski, chief information security officer. "They had to bring in developers who had to work late, and other projects had to be put on the side."
The high costs of such measures-in both money and time-are raising questions about Microsoft's response to the virus threat, according Clifford Riggs, a senior partner at information security consultancy Proteris Group (Williston, Vt.). After the havoc of the Blaster and SoBig attacks had passed, Microsoft issued a security bulletin warning of three critical vulnerabilities in the Windows operating system.
Microsoft has been touting a focus on security, but many users are left doubting whether to believe it, Riggs says. "What we've seen this summer tells us that it's more marketing than actual changes in the way they're doing business," he contends.
Riggs believes that the biggest problem with vulnerable technology products is the end-user license, which he says "shields companies from legal action concerning a defective product," he argues. "You couldn't sell a car like that."
"Modifying the end-user agreement wouldn't actually solve anything, although it might look like a good PR stunt," counters Mark Horvath, Microsoft's senior technical strategist for financial services. He asserts that Microsoft has mounted efforts to be more responsive. Among these are the Trustworthy Computing Initiative, a 10-year plan begun in 2001 with the aim of completely reworking its products. "We recognize that to truly fix the problem we need much more than a couple of pat-ches and new packaging," Horvath says.
Microsoft is attacking the security question through a "respond-and-prevent" approach, Horvath reports. Response includes improvement of the vendor's patch management methodology, based largely on feedback from the industry. That feedback includes input from Microsoft's CSO advisory council, a panel made up of the chief security officers of 30 of the largest financial services companies in the world, according to Horvath. "In the prevent category, we are educating our development staff on the importance of security and on good security practices," he claims. n
George V. Hulme of InformationWeek contributed to this article.
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio