Patching policies must be part of everyday practice

摘要

Security administrators don't have it easy. As well as having to perform system updates, back up servers, monitor intrusion detection systems and complete other tasks, they now need to find time for another critical task: applying software patches. According to last month's Internet Security Threat Report from Symantec-an analysis of network-based attacks, known vulnerabilities and malicious code for the six months between July and December 2003 - 2,636 new vulnerabilities were documented in 2003, an average of seven per day. As of today, potential attackers are aware of 9,000 vulnerabilities affecting more than 20,000 technologies from around 200 vendors. Seventy percent of the vulnerabilities found last year were easily exploited due to the fact that no exploit was required or an exploit was readily available. This is usually a preventable situation, but because many servers were left unpatched, the viruses entered through open doors into systems all over the world. Perhaps more worrisome is the fact that the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking.