By Forrester Research
Special to CNET News.com
July 31, 2003, 5:45 AM PT
Michael Rasmussen, Director, Forrester ResearchMicrosoft and Cisco Systems announced major vulnerabilities last week.
Companies need a plan to respond and should not rely on products alone for protection.
This is a people and process problem. The Microsoft vulnerability is a significant exposure into every operating system running the NT code base from NT to 2003. The Cisco vulnerability is an exposure that could crash every router.
Vendor claims are far-fetched and provide a false sense of security. No vendor today resolves these vulnerabilities, except Microsoft and Cisco with the patches they implement. Security vendor solutions may hold back the evil hordes of hackers should they come knocking, but the deviants will break through given enough time and motive.
The only true answer is to patch systems. Organizations should focus on the process and policy portion of security as much or more than the technology aspect. Do not put blind trust into security vendor claims of protection. Rather, honestly evaluate how the product works and the time it potentially buys you.
Develop a patch management process based on business risk, so the critical business applications and support systems (network, desktop, for example) are expedited and patched in accordance with the risk the organization faces.
© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.