Surveys estimate that IT administrators spend between two and six hours a day siphoning the information they need to secure their enterprise's infrastructure and assets.
On a daily basis, an admin's inbox could be overflowing with virus alerts and security bulletins warning about the latest destructive piece of malicious code traversing the Internet or a software flub that allows malware to propagate.
The trick is sifting through the vendor hype to determine which alerts apply to your enterprise, and which just spread FUD (fear, uncertainty, dread) in an attempt to line a vendor's coffers.
"When I review a write-up by a vendor, I cut through the marketing fog and get right to the issue. How does this bit of malware work? How will it affect my infrastructure? Is my infrastructure suitably protected from infection, and how fast will an infection spread if I do get it?" said a SearchSecurity reader and a computer security engineer who asked to be identified as HC. "Sometimes, the necessary information just isn't there, which is why I use multiple (vendor alert services)."
Often, vendors are motivated by the need to be the first to send out flashes on a potentially destructive worm or virus. This year, however, only Klez and its variants have made any widespread inroads and caused little more than a nuisance in most enterprises. Yet, Symantec's Security Response Web page that lists viruses, worms and Trojans currently in circulation, details 38 alerts for July alone. McAfee's AVERT page lists 22 and Sophos lists 20 for July -- and most of those alerts from those three vendors go out in e-mails to customers.
"In our organization, we look at a received alert and decide how likely we are to be infected," said Ian Kelly, an admin in the U.K. "If it's highly unlikely (for example, it can only operate within the Japanese version of Outlook Express 3.5 and has been seen on one standalone PC in a Lab in Tokyo, and I'm in the UK using UK English systems) we don't need to do anything immediately. If we don't have enough technical information from the first alert to make a decision, we look for descriptions from other vendors to make our own risk assessment."
E-mail vendor alerts are the most popular medium for admins to receive security information, and most subscribe to as many as a half-dozen different services. Sites like vmyths.com often help to provide a reality check for admins wondering if the alert they're researching is a hoax.
Ultimately, however, the key decision an admin must make is when to laboriously patch their systems or update their virus signatures.
"We schedule our regular updates (weekly and monthly) and have an informal schedule for additional signatures," said Kelly. "For instance, Sophos is upgraded every month. If we receive notification of three new viruses that are highly unlikely to infect us, we will install the signatures at the end of that week. If we receive 2 notifications on a Monday about low-risk viruses but info on a high-risk virus on Tuesday, we will update signatures for all three viruses as soon as possible on the Tuesday.
"Some vendors take the approach that, as you update the application you bought from them, they won't need to tell you about a new virus unless it is seen many times in the wild between DAT revisions (be it daily or weekly). Others may believe that in order to continuously enforce how important their software is they have to constantly barrage you with alerts reminding you of how dangerous computers, e-mail, the Internet etc. are."