SAN FRANCISCO (09/19/2003) - August was the cruelest month, breeding MS Blaster and Sobig out of moribund security policies, mixing buffer overflows with SMTP-based viruses, stirring vacation-focused minds with new worms. Winter had kept us warm, as our 1U Linux servers blanketed the datacenter with forgetful uptime, feeding us our e-mail through twisted cables. Summer surprised us ...
That's where my indulgent IT-themed tribute to T.S. Eliot's "The Waste Land" ends, but this summer didsurprise us in IT. During my recent two week vacation, I spent quite a bit of time reflecting on IT's cruel summer of 2003 and my conclusion was simple, as Eliot's verse floated through my mind: This summer was a security wasteland. The trouble is, I'm not so sure that any of us could have done much about it. Like many of you, I read the armchair quarterbacking in IT publications with great interest, and I've seen some of the usual common sense security suggestions: Make sure all your remote employees have a firewall, constantly monitor and update your security policies, and remain ever vigilant for the next attack.
Yeah, I know, but it's not that simple. The rash of security incidents over the summer underlined something that as a working technologist I've known to be true for a long time now: IT is still very difficult, and Murphy's Law sometimes prevails, helped by the limits of time, space, and budget. Sometimes the staff is completely versed in best practices, but doesn't expect something quite like Sobig (who did?). Most IT staffers don't work in companies with deep enough pockets for the staffing needed to track, understand, and plug every possible security hole that comes up in the course of a day, so they do the best they can trying to keep up with Bugtraq and CERTCoordination Center advisories between the usual help desk calls. With Sobig, we at InfoWorld received 140,000 messages in one day in what amounted to a DDoS (distributed denial of service) attack on our e-mail system via the open SMTP ports we all rely on. Worst of all, it tied up our key IT staffers to the point where they couldn't do much else but deal with Sobig-related problems.
I have praised the decentralized enterprise before, but that environment makes it particularly difficult to enforce centralized security policies. I can send out a top-of-the-line firewall to a home office employee and I can even fly across the country to hook it up personally (let's assume, for the sake of argument, that kind of travel expense is within the budget), but who will monitor and manage it? What happens when the employee's husband unhooks the firewall because he thinks it's making his music downloads too slow? What happens when your VP of sales hops onto a wireless network at Starbucks to check e-mail and gets hit with MSBlaster because he was always too busy to accept your automated patch when you released it to your users? While these stories have been changed to protect the guilty, I've seen these kinds of things happen enough to know that security is a people problem first and a technology problem second. I can only hope that the recent attention given to security issues will give end-users reason to listen when IT asks them to open their mouths and swallow the sometimes-icky security medicine.
As the Sobig surprise taught us, a completely successful security policy must verge on the clairvoyant, but in the absence of supernatural powers, continued vigilance must do. In Eliot's poem, Madame Sosostris, the fortune teller, says it simply: "One must be so careful these days."