Dr. Slammer, or how I learned to stop worrying and love downtime

Guest writer doles out grades for Slammer situation

The long view of security strategies for your network.

My friend and colleague Jim Reavis recently sent me the latest issue of his "CSOinformer" security newsletter, and I was so taken by his comments on the recent Slammer incident that I asked him for permission to republish them here. He has very kindly allowed me to print the following essay (lightly edited) from his excellent publication.

"I" refers to Jim, so please direct your praise (or abuse) to him at mailto:jim@reavis.org with a copy to me mailto:mkabay@norwich.edu when responding to any controversial bits below.

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

My friend and colleague Jim Reavis recently sent me the latest issue of his "CSOinformer" security newsletter, and I was so taken by his comments on the recent Slammer incident that I asked him for permission to republish them here. He has very kindly allowed me to print the following essay (lightly edited) from his excellent publication.

"I" refers to Jim, so please direct your praise (or abuse) to him at mailto:jim@reavis.org with a copy to me mailto:mkabay@norwich.edu when responding to any controversial bits below.

* * *

The Slammer (or Sapphire) worm has come and is mostly gone. This worm halted the Internet in many parts of the world and stopped many critical business functions within corporations. How do I grade the players in this latest saga? Let's take a look:

* Microsoft: B-. Seriously, how much blame can we ascribe to Redmond when they released a security advisory six months before the attack, complete with a patch for the affected SQL Servers? They cannot get an "A" because they released the insecure product in the first place; they get the minus for having a lot of security advisories to wade through and for making the process for patching computers so painful, as I'll discuss at the end of this column.

* Information security industry: D. If there is going to be an information security industry in the long run, these are the moments in which it needs to shine. Vulnerability assessment companies can claim they warned you, but they didn't do too much to help you. Many companies claimed that they could help - the next time Slammer attacked. There were some very good examples of smaller companies who trapped Slammer with anomaly detection technology or prevented it with patch management. But the big guys - the security companies most of us have standardized on - seemed to have very few answers.

* Systems administrators: F. We all need to take personal responsibility for the security of our networks. The underlying vulnerability for Slammer was announced on July 24, 2002, by Microsoft bulletin MS02-039 and given the maximum severity rating. History tells us that nearly all wide-scale attacks are based upon known vulnerabilities. Microsoft released 72 security bulletins in 2002, not a tiny number, but not exactly the population of Hong Kong either. A systems administrator reading MS02-039 should have seen the hallmarks of a potential problem: specifically, the vulnerability could be automatically exploited without any local interaction. However, most chose not to apply the patch.

Clearly, what is needed is sophisticated patch management technologies to aid organizations in managing updates, which will only increase in frequency. Among the key needs:

* Scalability to accurately identify vulnerabilities in large networks.
* Regression testing and the ability to pilot patches.
* Wisdom to know which patches should be installed and when.
* Ability to simply roll back patches that have unintended side effects.
* Work-around information for vulnerabilities lacking a suitable patch.
* Ability to integrate patch management into enterprise systems-management consoles.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.