Patches, according to Freund, have problems all their own. "Often they are the least-tested software because they have to ship so quickly. Or they can be reverse-engineered to uncover the vulnerability that sparked the patch" allowing the bad guys to quickly target unpatched machines. Guidance Softwares Patzakis said that while traditional defenses are doing a decent job against standard attacks, such as garden-variety viruses and script kiddies, "sophisticated hackers are causing extensive damage and are routinely compromising high-profile targets.""From the CIO/CISO standpoint, organizations must be committed to the complete security process," Patzakis said. "On the technology side, this means addressing measures spanning proactive preventative to reactive mitigation/containment. On the human side, people, policies, training and executive awareness are all essential." For more insights from David Coursey, check out his Weblog. Tooting his own horn a bit, Patzakis said a critical component of the information security equation that has been traditionally neglected is the response and investigation process. "Important developments in computer forensics and incident response technology have made the implementation of an incident response and investigation process far more effective and cost-feasible than they have been until very recently." It was on that note that our conversation ended. I am not sure what I learned, but what I gained was an appreciation for how hard the opposition is working and how much more damage they could actually do. I was also frightened enough to rethink my whole security infrastructure. I dont think Ive dealt with all my vulnerabilities yet, but security is always an ongoing process. One that I hope this column will help you commit (or recommit) to. Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
To address this, greater executive awareness and urgency are needed at the highest levels of businesses and government, Patzakis said. This, he warned, may come about through increased regulation as companies are required to show they meet a standard of protection required by future legislation or contract terms.