Who's afraid of the big bad worm (or the death of security as we know it)
Last week saw the "security pundits" ringing the alarms about a major worm attack on its way exploiting MS06-040. I envisioned the next blaster/slammer wreaking havoc with our networks and computers. Frankly as evil as it sounds, it's good for business (hey, I'm a vendor), and generally serves to refocus our attention and companies budgets on getting real about security.
After reading stuff like, Mike Murray, director of vulnerability management over at nCircle in an article in Information Week, say, "And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability. "Well, this is the one." Then having DHS (someone should tell the guys at Information Week that it does not stand for Department of Homeland Defense) issue a US-CERT warning encouraging everyone to patch this. Microsoft told us to give this one a top priority. HD Moore made his exploit public showing it could result in a DDOS attack. Murray over at nCircle further said, "It's only a matter of time or luck before this turns into the scale of MSBlast. Essentially, every Windows system is vulnerable. This is one
of those worst-case 'pull the plug on the Ethernet cable' events." I was pretty confident that we were going to have some trouble. So here we are on Tuesday, the sun still came up, the Internet is still working and I have not seen any reports of a major worm outbreak. Is it too soon? They said we should see something in 2 to 4 days. There have been reports of a botworm out that does exploit this, but it has not become a slammer/blaster type of event. Why? Is everyone already patched against it? Are we ever really going to see another major outbreak of a mass market attack like we did in the past. In my opinion the answer is no. I think the reasons for this are several. Here are the top ones in my mind:
- Who wants to create a mass exploit? People hack for profit, not for fun - In the past the kiddie scripters or people who wrote these worms for kicks were the main enemy. After a few people getting arrested for this, maybe the air has gone out of that balloon. The real reason though, is where is the money in it. In the immortal words of Cuba Gooding, Jr. in Jerry Maguire, SHOW ME THE MONEY! Putting out a mass market worm like this does not make the worm writer any money (unless he does the talk show circuit after he gets out of jail). We have moved beyond people hacking for fun and kicks to people hacking for profit. Today's attacks are targeted at specific targets which yield financial gain. Whether you subscribe to the cyber-mafia theory or not, there is too much money in play and hackers now will use a valuable exploit like this to maximize their profit, not waste it on a mass market attack.
- We have gotten better at finding, patching and warning on this stuff. There is no doubt that with the regular Patch Tuesday's from Microsoft and the proliferation of vulnerability management and patch management programs, as well as SP2's automatic updates, on the whole computer users are much more protected against known vulnerabilities like this, then they were a few years ago.
So what does this mean for you as a computer user and me as a security vendor. Well, it does not mean that we let our guard down for one. We have to continue to do the right things. Stay on top of patching, vulnerability management done in a systematic way, prudence in opening unknown files and attachments. Basically doing the types of things we have grown accustomed to. However, for the security industry, I think we need to move beyond defending and planning to contain the next mass market worm outbreak. We have to zero in on targeted cyber-criminals stealing and hacking for money. That is the next battle ground. We cannot rest on our laurels on fighting the kiddie scripters, that frankly was child's play compared to what we have to combat now.