META Report: Security Vulnerability Disclosures

User Action: Organizations need a strong, ongoing computer security program that is capable of protecting the enterprise from the increasing numbers of sophisticated viruses that attack without warning. This security program must include continual monitoring of the third-party Web sites that carry reports of security problems, as well as the sites through which key software vendors issue security patches.

Desktop support groups must conduct regression quality assurance testing of vendor security patches to determine whether they are safe to use in their organization’s desktop environments. Once patches are tested, they should be distributed and implemented promptly.

However, implementation of patches on desktop systems is an ongoing challenge. It is usually impractical to send out IT personnel to implement patches on every desktop and laptop in the enterprise. On the other hand, simply sending an e-mail to users to inform them of the latest security patch is not enough – some users will not bother to implement them.

Microsoft is working on an automated desktop patch management solution, and such a solution would be a boon to enterprise customers. However, past attempts to deal with this issue (e.g., Microsoft SMS) have been unsuccessful. Given the weakness of current automated approaches, users must practice strong systems management (i.e., configuration and change control processes) and frequent vulnerability assessments while maintaining a hardened perimeter.

Other Recent META Reports

Avoid Paying Extra for Licensing Fees

Novell Faces a Critical Year

The Nirvana IT Organization

Value-Based Collaboration Strategies

Protecting Internet Assets

A strong security strategy must also include an ongoing program to train and remind users to handle e-mail attachments, downloaded files, and other potential sources of viral infection with adequate care. Most viruses and Trojan horses require that the user at least download the executable and usually activate it by clicking on it with a mouse. Constantly reminding users to be careful about downloading suspicious e-mails or files is as important as more technical means of interdicting malicious attacks.

META Group analysts Chris Byrnes, David Thompson, Chris King, and David Cearley contributed to this article.