The recent widespread carnage caused by the Conficker worm is astounding, but is also comforting, in a strange way.
It has been a good few years since the world saw a worm outbreak of this magnitude. Indeed, since the Code Red, Slammer and Blaster days, things have been fairly quiet on the Interwebs front.
As a community, it seems we very quickly forgot the pains caused by these collective strains of evil. Many people proclaimed the end of issues of that particular bent, whether it be as a result of prolific post-worm hastily induced reaction buying of preventative technologies and their relatives, or whether more faith was placed in software vendors preventing easily “wormable” holes in their software.
Needless to say, Conficker turned those theories a little on their head. Wikipedia notes on the impact of the worm gleaned from various sources seem to say it all:
-snip-
The New York Times reported that Conficker had infected 9 million PCs by 22 January 2009, while The Guardian estimated 3.5 million infected PCs. By 16 January 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9 million PCs. As of January 26 2009, Conficker had infected more than 15 million computers, *making it one of the most widespread infections in recent times*.
-snip-
We saw similar turmoil when a large organization in South Africa was hit incredibly hard by this worm, and was struggling to resolve the resulting chaos, even with the assistance of their security software vendors. Thankfully, it all ended happily for them, as the issue was resolved, but it’s plain to see where this could go wrong and affect many organizations similarly.
I did mention up front that I found this all to be comforting (granted, this may be a slightly twisted viewpoint, but it really is how I feel about it). The reason I find this comforting is that perhaps as a collective, we needed a fresh wake-up call. They say that complacency kills, and I know that many organizations have become rather complacent of late…
Consider how Conficker works and spreads – missing patches leading to RPC-based buffer overflows in the Microsoft Server Service, brute-force attacks on weak passwords, spreading through file shares…hold on…does this sound at all familiar? Aren’t these issues all addressed by basic security best practices 1 oh 1?
Organizations that had adopted reasonably robust internal security measures – hardening and patching policies, internal security assessments, solid internal vulnerability and compliance management solutions – they would have smiled through the Conficker onslaught..
I don’t only say this because we play squarely in the assessment and vulnerability management spaces – I say this because the same steps that would have protected against Code Red, Slammer, Blaster and friends, would have protected against Conficker… best practice 1 oh 1..
I guess every now and then, we all need a reminder of just how essential the basics that we all tend to overlook actually are :>
/nick