Companies issue security bulletins for a reason: to tell users of their products about security risks contained therein and to offer details about fixes for the problems. But what good are security bulletins if users don't heed the warnings and correct the problems?
I can't stress enough how important it is to pay attention to this information and to act on it immediately. You need only one reason to give you the proper incentive: black-hat system crackers cull security bulletins and use that information to attack your networks. Can you think of a better reason to review and apply security patches? I can't.
So how bad is this negligence toward security bulletins and fix information? In April 1999, a user discovered a vulnerability in Microsoft Data Access Components (MDAC) that could let an intruder gain a dangerous level of control over a remote Windows NT system. The user initially reported the risk on a public mailing list. Although the list moderator withheld the details of that risk from the public for more than a week, that action didn't prevent a savvy hacker from reverse engineering the available details to create an exploit.
Subsequently, an exploit script (written in PERL) was publicly posted on the Internet, and Microsoft created a patch and workaround to prevent intruders from exploiting the risk on users' systems. Microsoft also issued a security bulletin regarding the matter, as did Security UPDATE and several other security news outlets.
Apparently, the warnings fell on many deaf ears and continue to do so. I say this because over the Halloween weekend, intruders attacked and defaced more than 25 NT-based Web sites – Windows NT Magazine's Web site included! Why did the defacements occur? The people in charge of those servers didn't heed the warnings and correct the configurations of their systems in a timely manner. And in the case of Windows NT Magazine, our in-house administrators simply didn't practice what we technical writers preach. We learned our lesson. But have you?
Apparently, many administrators had something more important to do than handle security. But what's more important than security? After all, what good is spiffy Web content or well-tuned servers and networks if you can't keep them online safely?
It's no fun waking up to the sound of a beeper in the middle of the night to learn that someone has cracked your company's network. It's even less fun to learn that the crackers replaced your home page with offensive material. And it's downright unsettling to think that the cracker might have left several backdoors into your network to further their endeavors. Isn't it less traumatic to apply security fixes and make security-related configuration adjustments in a timely fashion? I think it is.
If you don't make correcting security problems a priority every day, you'll eventually become a victim; that neglect stacks the odds against you.
Crackers practice silent diligence and perseverance; therefore, you need to become like them in this respect, unless you like being an easy target. The best advice I can give is to pay acute attention to security risk warnings as they arise and protect against the risks immediately. Not tomorrow, not next week, but immediately.
