In-Depth

Microsoft and IBM Hone Security Warning Systems

Better security updates in the offing

• By Mathew Schwartz
• 11/17/2004

“In the fight against IT security threats, timing is everything.”

So says Stuart McIrvine, director of security strategy at IBM. “These days, hackers are able to reverse engineer newly published security patches and deploy an attack on an unpatched system in 48 hours,” he notes.

Two new security services—one from IBM, one from Microsoft—aim to help both security managers and senior executives stay ahead of marauding vulnerabilities, and to begin patching systems more quickly.

IBM Releases Monthly Security Index

The first is a new security service from IBM for tracking threats; it's targeted at “companies that have elevated security issues from the server room to the boardroom,” says McIrvine. Dubbed the IBM Global Business Security Index, security experts at IBM use data from half a million monitored devices in IBM-managed networks and rate the potential severity of threats.

For example, IBM notes attacks against critical infrastructure providers—government agencies, telecommunications companies, and utilities—rose by 55 percent just from July to August. In the same timeframe, attacks against businesses it monitors rose by 27 percent. The most prevalent attacks involved attempts to exploit the LSASS vulnerability in Windows, including from the Korgo and Sasser worms.

One ominous and increasing trend is reconnaissance of vulnerabilities in such Web-server software as Microsoft IIS, Apace HTTP Server, and Netscape iPlanet. This activity portends “more complex, singularly directed attacks against systems that are found vulnerable,” says IBM.

Befitting the index’s board-room focus, beyond noting current attack trends, it will detail “business continuity trends,” including “recommendations for keeping employees, customers, suppliers and partners connected, with critical business information, during natural disasters, such as hurricanes, and widespread power failures.”

Microsoft Previews Monthly Security Bulletins

As the time decreases between public disclosure of vulnerabilities and attacks, Microsoft is also making changes to help security managers respond more quickly.

Per customer request, Microsoft will now give three business days of warning—when possible—before it releases a new security bulletin. Since Microsoft’s monthly security bulletins appear the second Tuesday of every month, that means that on the first Friday of the month security managers will have a hint of things to come.

The goal of this new approach is “to assist customers with resource planning for the monthly security bulletin release,” Microsoft says. Even so, the company promised the advance notice would not detail the exact vulnerabilities. “The advance notifications will include the number of bulletins that might be released, the anticipated severity ratings, and the products that might be affected.” The goal is to buy security managers more time.

As an example of information the bulletins will carry, this month’s advance warning says there will only be one bulletin, “affecting Microsoft Internet Security and Acceleration (ISA) Server,” and notes “ the greatest maximum severity rating for this security update is Important,” and that the patched machine may require a restart.

Microsoft says all warnings are tentative and subject to change.

Beginning in December, Microsoft will offer advance-notice warnings via e-mail. (For more information, see its TechNet Security site:
http://www.microsoft.com/technet/security/CurrentDL.aspx)