Research from the SANS Institute has revealed that unpatched PCs last an average of 20 minutes between being connected to the Internet and having their ports probed by malware. Clearly, existing approaches to network security, such as patch management, are not working.
It's an old issue, and one that affects us all. Even if every IT manager patched every computer on their network before letting it talk to the outside world (an impossible task in itself), the millions of unprotected home PCs would continue to provide a welcome habitat for viruses, worms and Trojans capable of disrupting networks.
As Microsoft's refreshingly frank ex-CIA security consultant Fred Baumhardt pointed out at the company's TechEd conference in Amsterdam recently, there's clearly something wrong with the system. When he asked a room full of perhaps a thousand Microsoft customers and developers whether they thought Microsoft, and software vendors in general, were doing a good job of security, not a single hand went up. And those were Microsoft customers.
Like the man said: if the human body relied on patch management, we'd all be dead.
Security should not end with the user, the IT manager or the software vendor. Those who run the Internet should bear more responsibility.
If our water companies failed to filter out the crap from our taps, we'd all be as dead as the fish in the Thames that were killed by the overflowing sewage in the recent flash floods. Many of us do use water filters but these are a secondary measure; we expect to be able to drink our water straight from the taps because the companies that supply it have a responsibility to keep it clean, and face heavy fines if they fail in their duty of care.
Why do water suppliers have this care of duty? Because filtering water is not the end user's core competence.
But when we attach a PC to the Internet, we might as well be wading through open sewers. Currently, many ISPs are allowing Internet traffic to flow through their systems completely unfiltered, which is akin to a water authority pumping out raw sewage to its customers to clean for themselves.
Advanced scanning needs to be shifted upstream to the Internet level, where it is possible to be proactive as opposed to reactive. Governments really need to put additional pressure on the ISPs to take ownership of the problem, and to filter the connections that they are providing to businesses and to home users.
The communications regulator, Ofcom, is the closest thing we have in the UK to an Internet version of the water regulator. Currently, Ofcom regulates the communications market but it does not regulate the Internet; in practice it is quick to say that it has no mandate to regulate Web sites, but is slow to talk about its responsibilities for electronic networks, which is where the problem lies.
There is a clause in the Communications Act, under which Ofcom operates, that says Ofcom has a role in stopping abuse of electronic networks. Some senior people have already told us that they want Ofcom to use the clause to get ISPs in line. It is time it did.