Companies that were hit by both the Code Red and Nimda worms should quit using Microsofts Internet Information Server immediately, says Gartners research director for Internet security, John Pescatore.
"Code Red had so much publicity. Dan Rather was talking about it. It had to be a wake up call," for business owners and system administrators, says Pescatore. "If you got hit by Nimda, youve proven you cant keep up with the security problems of IIS. Its like a car: Dont buy a Fiat unless you are prepared to get it fixed a lot."
Gartner, one of the best-known high tech consulting firms, seldom advises its clients to steer clear of specific software.
The firms recommendation is the latest in a string of hits IIS has taken on the security front. This summer, J.S. Wurzler Underwriting Managers began charging up to 15 percent more in premiums to clients that use IIS. Wurzlers decision was made before the Code Red worm – which feasted on IISs vulnerabilities – caused some $2 billion in damage. Wurzler is also charging higher premiums to clients who use NT. The underwriter, who relies on London syndicates for coverage, based the decision on security surveys that it has done on more than 400 companies.
Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. That turnover may mean that security patches dont get installed, said the companys CEO and founder, John Wurzler. If companies are able to prove that their administrators are following best practices and have installed all up-to-date patches on their NT and IIS machines, they can get discounts on their premiums.
"Our sense is this is an extreme recommendation that would require customers to make a more costly alternative and ignores the fact that security is an industry-wide issue that affects all platforms," said Microsoft spokesman Jim Desler. "IIS is as secure our competitors server software and the real issue is how a company supports and responds to vulnerabilities and viruses and worms." Desler added that companies who have installed all the recommended patches -- available at no charge on Microsofts Web site – were not hurt by Nimda.
The Nimda worm can spread through e-mail, file sharing and Web site downloads. The worm bundles several well-publicized exploits against IIS, as well as Microsofts Internet Explorer browser and operating systems such as Windows 2000 and Windows XP, which have IIS embedded in their code.
Pescatore said a key problem for IIS is that much of its source code is three years old. And he has been concerned about the softwares vulnerability for months. "When the Code Red worm came out, we did a research note that said enterprises had better realize that IIS has a high total cost of ownership."
Despite the worms and the issues raised by Gartner and Wurzler, no insurance brokers or carriers have said they will change their approach to IIS.
Tracey Vispoli, cyber solutions manager at Chubb, a large insurance carrier, said that her company includes software platforms among several factors when it sets premiums for insurance coverage. Even if a company using IIS got hit by the Code Red and Nimda worms, "Its still a risk that Chubb would take if the company can show they have technology and security in place. We look at their philosophy toward security," she said.