Home Office to give early warning on security holes

The Home Office has said it will start giving advance warning about upcoming security patches and software vulnerabilities to essential public services, such as transportation, health and telecommunications.

The National Infrastructure Security Co-ordination Centre (NISCC), which is part of the Home Office, was set up in 1999 to work with both public and private sector organisations to try and ensure the Critical National Infrastructure can withstand an electronic attack.

The majority of viruses and worms are developed by hackers who reverse-engineer patches produced by software developers in order to plug security vulnerabilities.

Over the past few years, the time between a vulnerability being announced - which is usually the same time that the software patch is issued - and an exploit being distributed is shrinking. This means that administrators have less time to secure their systems than ever before.

Security risk management firm TruSecure welcomes the NISCC's idea but warns that sometimes too much information can be more damaging than not enough information.

Malcolm Skinner, director of marketing at TruSecure, said that there are too many vulnerabilities, so if the 'essential services' tried responding to them all, they would run into problems.

"There are far too many vulnerabilities out there. What organisations really want to know about are the vulnerabilities that are important and can be exploited," said Skinner.

According to Skinner, simply being informed of vulnerabilities is less important than knowing how to minimise the risk of being infected by an exploit.

"The same things that were said after the first MyDoom are being said now. How many times do we have to say it? If the warning is just to let the services know there is another vulnerability coming out, it's not much use," said Skinner.

Munir Kotadia writes for ZDNet UK