Security–why don't we get it?
We were lucky. I know this statement seems unbelievable to anyone who spent hours cleaning up after these worms. But the cold truth is that these worms barked more loudly than they bit. If their malicious payloads had been as effective as their propagation techniques, the computing infrastructure upon which we all rely could easily have been devastated. Devastation didn’t happen. But a wake-up call sounded for those willing to hear it: Our defenses failed because our legacy security model is reactive. We depend upon vendors who react to a security threat by rushing out patches, antivirus and Integrated Decision Support (IDS) definitions, etc., that defend against only that specific threat. It’s the digital version of closing the barn door after the horse gets out. To make things worse, the gap is collapsing between the publication of a new vulnerability and the appearance of an exploit that takes advantage of it. More alarming still, our window to react to such exploits is shrinking. Slammer, for example, infected 90 percent of all vulnerable PCs on the Internet in 10 minutes. We must instead adopt a proactive security model that neutralizes attack vectors before a true crisis occurs. Full Story