One thing's for certain: The numbers aren't pretty, and they aren't getting any better.
Even if you've been spared so far, sooner or later a critical application or OS vulnerability will affect your organization. The costs, time and energy associated with the clean-up can be minimized if the proper tools and processes are in place.
The price you'll pay for not addressing attacks should also be of concern. Should an intruder leverage a given vulnerability, your organization could face data theft or destruction, prolonged outages, and humiliation and decreased client confidence should the incident go public. Each outcome has tangible and intangible dollar loss values. Those may be hard to put numbers around, but failing to include risk management in your vulnerability assessment plan will exact too high a price.
Organizations also face costs associated with automated, targetless attacks, such as those executed by worms, viruses and other malicious code. Worms have accounted for millions, if not billions, of dollars in damages and clean-up costs. What's disturbing is that every heavy-hitting worm we've faced leveraged a known OS or application vulnerability: Code Red used an IIS ISAPI buffer overflow. Nimda exploited an IIS Web traversal vulnerability. Slammer used the buffer overflow found in Microsoft SQL Server's resolution service six months earlier.
Had organizations patched their systems within three to four weeks after these vulnerabilities were announced, they would have been immune to these little buggers (see "Worm Sign" left). Unfortunately, most didn't.
Regardless of whether you fear targeted attacks by humans or nontargeted threats, such as worms, every organization must ask a few basic questions periodically: