Security Alerts for the Rest of Us

I hate reading vulnerability bulletins. Talk about dense material. I sometimes find it difficult to follow explanations about systems I understand well, let alone those about systems I use but don't fully understand.

And I know I'm not alone. Network administrators who aren't immersed in security are just as disadvantaged.

The responsibility to issue easily understandable alerts lies with vendors. Not every product user is an expert, but all users need to be aware of security problems so they can take corrective action. This will be difficult, but not impossible. Last November, for instance, Microsoft began issuing separate alerts for technical and nontechnical people. This is a step in the right direction, and I can only hope other vendors follow suit. But you can't leave everything to the vendors.

Nearly all vendors and a few security researchers offer some sort of rating for new vulnerabilities. Although the ratings indicate how serious the author thinks the vulnerability is, you or someone in your organization will have to make that determination once the impact on your network is understood. This may sound obvious, but a threat to your DNS involving spoofing may seem low grade until you realize exactly how much trust we place in an untrustworthy system.