The Slammer or Sapphire worm, has come and is gone for the most part. This worm affected a literal halt to the Internet in many parts of the world and stopped many critical business functions within corporations. South Korea's Internet connections were out of service for the most part. At first glance it seemed the timing of the worm was going to spare the U.S. from much of the damage, but that wasn't the case and as the week went on the stories poured in. Bank of America's ATM network was down and other financial institutions had similar problems. A contractor for two major energy companies could not access either of their networks and was receiving Monday's electronic mail on Thursday.
How do I grade the players in this latest saga? Let's take a look:
Microsoft B- = Seriously, how much blame can we ascribe to Redmond when they released a security advisory six months prior to the attack, complete with a patch for the affected SQL Servers? Of course they cannot get an A because they released the insecure product in the first place, and they get the minus for having a lot of security advisories to wade through and making the process for patching computers only slightly less painful than a trip to the dentist.
Information Security Industry D = If there is going to be an information security industry in the long run, these are the moments in which it needs to shine. Vulnerability assessment companies can claim that they warned you, but they didn't do too much to help you. Many companies claimed that they could help - the next time Slammer attacked. There were some very good examples of smaller companies who trapped Slammer with anomaly detection technology or prevented it with patch management. But the big guys - the security companies most of us have standardized on - seemed to have very few answers.
Systems Administrators F = When it comes right down to it, I think we all need to take personal responsibility for the security of our networks. The underlying vulnerability for Slammer was announced on July 24, 2002 by Microsoft bulletin MS02-039 and given the maximum severity rating. History tells us that nearly all wide scale attacks are based upon known vulnerabilities. Microsoft released 72 security bulletins in 2002, not a tiny number, but not exactly the population of Hong Kong either. A systems administrator reading MS02-039 should have seen the hallmarks of a potential problem, the nature of the vulnerability was such that it could be automatically exploited without any local interaction. However, most chose not to apply the patch. No doubt I will be accused of oversimplifying the matter, I am well aware of the complexities of interdependent systems and the competing priorities of the systems administrator. Still, my message to systems administrators is that you need to know that your network is comprised of defective technologies, imperfect tools - and you need to deal with it. Your network belongs to your company, not Microsoft, Symantec or Cisco. You may have an idiot boss, no budget and an unrealistic set of priorities - but you also have a job to do.
Clearly, what is needed is sophisticated patch management technologies to aid organizations in managing updates, which will only increase in frequency. Among the key needs:
Everyone makes the same comments: Patching is difficult, but they rarely explore why. The complexities associated with patch management are often discussed, but the main reason is left out. What is the main reason, the specific detailed single reason why patches do not get installed? Because, for most patches applied, that system must be rebooted. When you reboot a computer, a hundred different things can happen and only one of them is good. The Reboot Dilemma is the undoing of many a systems administrator. Anyone who has worked in the business for more than a year has their own personal horror story of an upgrade gone awry, and a 2 hour project turning into a lost weekend. We need to figure out how to install service packs and hotfixes dynamically - without requiring a reboot. If any of the nascent patch management companies could figure this out, I'll stand in line for their IPO.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.