Maybe so, but it's also common. "I've never been to a company that didn't have multiple critical servers unpatched, even though they always say, 'Oh yeah, we've got them patched and taken care of, don't you worry about it,'" Roger says. They also fail to keep patches up to date for routers, security appliances, third-party browser plug-ins, and on and on.
A big problem is the level of effort to patch everything. The responsible thing to do is to test before you patch, which takes time. Meanwhile, according to Roger, here is what happens:
If I'm a bad guy trying to break in, all I have to do is find out what you run -- Apache, Windows, and so on -- and then I wait until I hear about the patch coming out. Usually the exploits are there within a couple of hours or less than that, and then I break in. The best a company can do is [take] days, if not weeks, to test, approve, and deploy patches. So if I'm a guy who's going to break into a company I can just take my time and learn your environment, learn who your partners are, learn who you have services with, find out what you're running, and then ... bada-bing, bada-boom. I mean, give me a month. What doesn't have a patch in a given month?
Some of the problem is lack of time or in some cases sheer laziness in the face of lax accountability. But even in the best case, patching can make the most dogged admin feel like Sisyphus.
Here's where the discussion gets even more difficult. While changing user behavior and keeping patches as up to date as possible would prevent a huge percentage of exploits, traditional remedies, such as antivirus software and firewalls, simply "don't work," says Roger. If they did, they would have worked already. Nothing can keep up with the proliferation of malware, which amounts to an estimated 63,000 new malicious programs per day, according to a recent report by Panda Security.
So what can be done?
Facing the security future
If you're a regular reader of Roger's blog, you know that he advocates default persistent identity as the only ultimate solution to the security mess. That's a controversial position because some think it spells the end of anonymity on the Internet. But Roger sees it as the only way criminal hackers will be forced to pay a penalty. Until then, "it's almost guaranteed they get away with it."
But a persistent identity scheme would require the kind of global consensus and commitment that seems unimaginable right now. Despite the dramatic events of the past few weeks, Roger believes the current sorry state of security will persist for the next 5 to 10 years. He says, "If one-third of adults in the country had their identity stolen last year -- and they did, for the fourth or fifth year in a row -- exactly what would it take for people to care more?"