Jan. 27, 2003 -- What's the biggest lesson learned from the latest network-clogging Internet worm attack?
"There is no patch for stupidity," according to the folks at SQL Security, which specializes in securing Microsoft SQL servers, which were targeted in Saturday's release of the "SQL Slammer" worm.
As with the NIMDA and CodeRed worms in 2001, many secure networks were overwhelmed by huge traffic generated by systems left open to a known vulnerability.
The SQL worm, which was only 376 bytes, illustrated the limitations of community-based security in a networked world. The worm targeted a six-month old security hole in Microsoft SQL Server for which downloadable software updates - known as "patches" in industry jargon - have been available since July.
But even Microsoft itself had not fully patched its systems and as a result was hammered by traffic from the worm. This raises a fundamental question: If the company making the software and issuing the patches can't stay current on its security updates, can their customers' system administrators be expected to do any better?
In an odd paradox, the Slammer crisis may provide a fresh argument for outsourcing network security to managed hosting specialists, or at least loosening tight in-house security budgets.
Internet security specialists say the key is to focus spending on competent management of your company's systems, rather than external threats.
"It's not that the bad guys are good," said Ira Winkler, chief security strategist at Hewlett-Packard. "It's that the good guys are bad."
"So many people think it's the Secret of the Ninja to secure your network," Winkler told the recent IMN Cybersecurity Summit in New York. "Security problems are preventable.
"But if you don't understand your enemies, they seem like geniuses. Teenagers want significance, and they don't need knowledge when you leave yourself open. Stupid human errors cost more than everything else combined."
NIMDA and CodeRed cost industry between $5 billion and $7 billion in lost time and cleanup efforts, according to Steve Katz of Security Risk Solutions, who has held IT security posts at JP Morgan, Citigroup and Merrill Lynch.
"NIMDA would not have been an issue if people had corrected problems that had been known for months and applied patches that had been available for months," Katz told an audience at the CyberSecurity Summit.
Two years later, costs are again being incurred as manpower is diverted to the cleanup effort. Why do viruses and worms targeting known vulnerabilities continue to wreak havoc?
A common complaint from security professionals is that top management gives lip service to security, but is loathe to invest unless managers can demonstrate a clear return on investment. In a tight spending climate, business cases are built on unknowable future threats face an uphill struggle.
"I think that's the hardest thing," said Stanley Jarocki, senior vice president of information Security for Morgan Stanley. "I don't think a lot of the ROI models (on security investments) work. But it's a common sense issue. Get your top managers engaged in a conversation."
Jarocki, who also chairs the Financial Services Information Sharing and Analysis Center, said the best strategy is to equate information security investments to an insurance policy - a modest short-term investment that can mitigate future risk.
"Just figure out how to phrase what you want in a way management wants to hear it," offered Winkler, who advocated a "Wizard of Oz" strategy that focuses spending on expertise.
"The real moral of the Wizard of Oz was that everyone had what they needed; they just didn't know it," said Winkler. "None of the vendors have a system that will magically make you secure. Train your current workers. You've got to let them know what they don't know. Focus on the basics, not the hype."