In July, eEye Digital Security publicized a hole in McAfee Inc.'s ePolicy Orchestrator, a remote security management tool, that would allow a malicious hacker to write and run malicious files to any remote system managed by ePO. In recent weeks there have been reports of similar holes in McAfee's Security Center product (http://www.infoworld.com/4362) and Symantec's Antivirus software.

Organizations can request third-party code audits to verify the quality of the enterprise management software. At a more basic level, customers should ask about the kinds of security controls that are included with the system and then enable those controls when the product is deployed.

"Many of the issues we found could have been mitigated by having stronger authentication -- some kind of access control at the agent and administrative console levels," Goldsmith said.

Compounding the problem, Ptacek said, are security features such as strong user authentication that are included with enterprise management systems but often disabled by default when the products ship.

"It's critically important that IT groups turn on (the authentication) features. Otherwise it really is like you have a botnet on your network," Ptacek said.