Wednesday, January 21, 2009

does conficker have a silver lining?

don weber posted an intriguing thought about the massive conficker worm actually making the internet more secure...

he's got some sound logic - it does shine the spotlight on the problem and give people who know what to do an opportunity to convince decision makers to do the right thing and that could certainly make people more secure...

trouble is i made the mistake of saying something similar in the previous decade... technically it was more along the lines of 'it would be good if X were bigger/more damaging because then people would sit up and take notice'... as you can imagine then along came something that was bigger/more damaging and people did sit up and take notice... where's the trouble with that you say? i got what i wanted, right?

wrong... a lot of people were negatively affected for what turned out to be a temporary lesson... i'm sorry to say but one of the observations i've made over the past 19 years of following the malware problem is that people largely do not retain the lessons of the past and thus wind up repeating history over and over again...

this case is likely not going to be any different - while don suggests that the efforts put forth as a result of this mass infestation are going to make future mass infestations harder he neglects to mention that there have been plenty of mass infestations in the past whose cumulative effects should have made mass infestation darn near impossible by now if the effect had any kind of staying power...

but the effect doesn't have staying power, it's short lived... there certainly is a window of opportunity for people to push through smart policy/technology changes, but the window is not large - take advantage of it now while it's still open...

6 comments:

Graham Cluley, Sophos said...

Good point, well made.

As a fellow old-timer, I have to wearily agree with you. People get hit by a virus, learn the lesson *for*a*short*while and then soon return to their old bad practices.

But at least the headlines and mayhem surrounding Conficker will have encouraged many to update their security patches and review their protection.

It may have been too late to prevent them from being hit by Conficker, but who knows what other malware they successfully prevented by having a new year refresh of their security?

LonerVamp said...

A sad amen to that! I wonder if this is because technology changes so quickly that we "forget" the lessons learned? I know business has this tendency to be intolerate of one-offs and perpetual activities (secure it 100% and we're done!) in almost every piece of it. But changes go faster than that...

The situation can go back to the age-old analogy of an immune system building up resitance to a cold bug for a short time after being affected, but eventually those antibodies wear off and you becoming increasingly more apt to pick up a cold again.

kurt wismer said...

@lonervamp
it could be the changing technology, or it could be that the lessons learned were never fully understood in the first place...

take for example the caution we eventually learned to use with floppy disks - that caution should have applied to all removable media but somehow we've collectively forgotten to be cautious and autorun worms thrived as a result...

did we think we think the need for caution was specific to floppy disks and not applicable to 'anything you can put stuff on', or has removable media changed so much that we can't see the connection between the old and the new? i think it's a toss-up...

Donc C. Weber said...

Yes, I admit this will probably be quickly forgotten. But the modifications to a business infrastructure to address this worm will hopefully continue forward. Admins and managers should understand their deployments better and the efforts involved with maintenance and security. Even if simple things like patch management solutions are fixed the Internet should be a safer place. At least until somebody makes a modification without understanding the ramifications, and then the organization's threat to the Internet will return to normal....opps, I mean increase.

kurt wismer said...

@don c. webber
that's exactly it - without remembering the reason why those modifications were made to the business' infrastructure it will not be retained down the road when something else trigger's another infrastructure change...

you and lonervamp probably have a better idea of how businesses work than i do, but my impression is that this is something that is not static - deployments, security configurations, etc are in subtle but constant motion... as such i expect the improvements to be nullified sooner rather than later...

LonerVamp said...

You're right, Kurt, they are always changing. If nothing else, employees and managers come and go (along with their lessons learned!) and new systems are put into place, sometimes without going through all the possibly new steps.

It might be something like a sore tooth. One day eating might be painful, and you might even make motions to go to the dentist to have it checked out. But if in a day or two the pain subsides, appointments may be cancelled or never made.

Until there is a real value and force behind actually doing the steps pro-actively, the only people who will do them are the ones who both care and have the free time.

Hell, even amongst the same people, I often have to re-justify or re-explain architecture or security implementations every few quarters.

It all comes down to whether the security (availability) is valuable or not.

That's not to say I'm totally cynical! :) There are employees, managers, and even companies that learn from this and will make better decisions ongoing. Others will make those more permanent changes to patch management or system builds that won't necessarily be forgotten tomorrow. But I wouldn't say that's the norm...