The Fear Industry

What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.

Most people who manage information security say bring it on, subscribing to the belief that the more details they have about vulnerabilities, the better prepared they will be. They count on not only the software vendors' official security advisories, but also on researchers who specialize in analyzing products for flaws.

That's where the controversy heats up. Many researchers bring serious flaws to light, but others are all too willing to cash in on their cleverness by posting information about software vulnerabilities before vendors have a chance to patch their products. This shameless self-promotion of being the first to expose a key vulnerability can bring fame and consulting contracts. Other firms readily open up their checkbooks to pay hackers for dirt on flaws, doling out premiums for the worst flaws--ones that, say, Microsoft ends up rating critical. These disclosures are followed closely by malicious hackers looking for cracks to exploit. They also force IT staffs to drop more strategic projects in order to plug holes in their systems before the next big worm or Trojan strikes. Security Pipeline | Security

Linked by shanmuga Tuesday, 18th April 2006 12:26AM