SCOTTSDALE, Ariz. -- Zero-day vulnerabilities are the top security concern for the majority (54 percent) of IT professionals, according to the results of an annual customer survey conducted by PatchLink Corporation, a global leader in security and vulnerability management. The survey, completed by more than 250 CIOs, CSOs, IT managers and network administrators across Europe, Asia Pacific and the U.S. , revealed that hackers are the second biggest security concern (35 percent) followed closely by malware/spyware (34 percent).
The prospect of zero-day attacks is extremely troubling for organizations of all sizes. Todays financially motivated attackers are creating customized, sophisticated malware designed to exploit unpublished application vulnerabilities in specific applications before they can be fixed, said Charles Kolodgy, research director at IDC. The problem is compounded by the ever-present human element. User behavior is difficult to control, and many hackers rely on users lapses in judgment to carry out their malicious activity. They also prey on the fact that many IT departments are spread thin and simply do not have the resources necessary to proactively defend against zero-day threats.
Improved Processes and Confidence
According to survey results, faster remediation and more comprehensive risk assessment and prioritization help organizations proactively address these concerns. IT managers reacted far quicker to emergency patches this year as compared to last, as 29 percent of organizations deployed critical updates within two hours during 2007 compared to just 14 percent in 2006. Seventy (70 percent) of IT managers completed fire-drill remediations within eight hours in 2007 compared to just 39 percent during the previous year. In addition, many respondents (60 percent) supplemented their vulnerability management process to include both agent- and network-based vulnerability scanning. As a result, a vast majority (99 percent) of respondents say their organizations are as secure or more secure today than they were in 2006.
In 2003 and then again in 2004, we were hit with devastating worms that exploited vulnerabilities in different applications before we could release the patches from our home-grown deployment process, said Jim Czyzewski, senior information systems specialist responsible for desktop patch management at MidMichigan Medical Center in Midland, Mich. Now were facing less-visible threats such as botnets and rootkits that are typically propagated through zero-day exploits. Effective vulnerability management is critical and serves as the first line of defense against these new stealthier attacks.