There’s an old, somewhat banal, joke about how the only good thing about being hit over the head with a hammer is that it feels so good when it stops.
In the last couple of months there have been several new, quite effective, Windows worms which have infected hundreds of thousands of machines worldwide, consumed huge amounts of Internet bandwidth, and caused billions of dollars in lost time and productivity dealing with the results.
As a business person, as well as a geek, I thought about the hammer joke more than a few times lately. Just when are people going to stop hitting themselves over the head? Or, more accurately, allowing themselves to be hammered.
Now, as anyone who’s been reading my column for a while knows, I’m not a fan of Microsoft’s security abilities. For years now I have written many column inches about how Microsoft is more concerned with locking in their customers and preventing compatibility with competing products than protecting their customers from attack.
Nothing has really changed, so I feel no need to go over this again. I’m sure people are tired of reading about this, and frankly, I’m tired of writing about it.
So this time I thought I’d try something a little different — step back a bit, and present a meta argument which might help put computer security in a broader context.
First off, computer programming is extremely difficult, and no one gets it right 100 percent of the time. MS Windows, Linux, MacOS, Solaris, even BSD — every operating system and application has had software bugs in the past, some remotely exploitable, and likely will again in the future.
Similarly, every operating system can be mis-configured by the end user or administrator to be insecure. No matter the inherent security abilities of the organization behind a particular system, if the end user doesn’t understand what they’re doing, disaster may be just around the corner.
From this, three conclusions present themselves.
First, there are security advantages in having diversity in deployed systems. While many organizations like to standardize on only platform because of the cost savings in having to support only a single system type, if that platform has a exploitable problem, everything fails.
This is true not only with regards to computer systems, but just about every other context as well. There have been many cases where the planting of only a single type of crop has resulted in starvation when said crop is infected with a decease.
Second, security is the responsibility of each and every organization and end user. Most worms and other attacks have used software bugs, or “infection vectors”, which have been documented before the attacks occurred, and for which fixes, or “patches” have been available for some time.
As an analogy, think of motor vehicles. From time to time a manufacturer may issue a recall of in order to fix a bug discovered. Usually the bug is fairly minor, but as Ford and Firestone know, they can at times be life threatening. Now, if such a bug has been discovered, but the users don’t bother to have it fixed, then is the fault entirely that of the manufacturer?
Thirdly, observation. Related to a feed-back loop. Usually when a system has been compromised there are indications that this is so. Anything from increased instability (although with Windows, it might be hard to tell) to an unusually large amount of network traffic could indicate a problem. I have seen cases where an organization was hit with a worm, but didn’t notice their network connection was saturated.
Again, using the vehicle analogy. If you’re driving along and you notice lack of power, engine pinging, back-firing and blue smoke streaming out the back of the car, you’ll probably think about taking it in to have it looked at. Amazingly, such analysis doesn’t seem to apply for most computer users.
There is of course much more to computer security than what’s covered here — this is meant more as a starting point for discussion within your own organization. Firewalls, Intrusion Detection Systems (IDS), Honeypots, disabling unused services, the list of what should be examined is very long.
However, I would argue that most people and organizations do not even apply these three basic security postures to their computer infrastructure, and thus are entirely at the mercy of worm authors and computer crackers.
Considering how critical computers have become to today’s business, the risk-management being applied is inexcusable. The CEO of all organizations need to ensure they’re doing what is needed — and this should trickle all the way down, through the COO, the CTO, then the Tech department, then the end user.
All of these roles may be filled with one person, or many. If the resources are not available in house, then outsource. But to simply sit with fingers crossed, hoping that the next worm doesn’t cause a true disaster, is unsound business.
Basic business is maximizing return while minimizing risk. Manage your risk.
Published in the Victoria Business Examiner.