Tom Olzak

Conficker is more a lesson than an event

In Business Continuity, Risk Management on April 1, 2009 at 10:24

As April 1st passes, Conficker is looking more like hype than substance.  This isn’t uncommon.  Also familiar in the days leading up to Conficker doomsday was the tendency for some managers and technical staff to run around trying to avoid pieces of falling sky, even though their organizations were well protected.

In a PC World article, David Coursey writes,

Conficker has once again reminded us that our systems are vulnerable and we need to invest $$$ in protection. Or has it already backfired?

Maybe Conficker will prove that what we already have works pretty well. Maybe Microsoft did a good job dealing with this threat and the anti-malware vendors likewise. Maybe Conficker will send the message that what we are doing is just fine, thank you. Spend more money to counter threats like this? Why?

Source: Conficker Worm Is Much Ado About Nothing, David Coursey, PC World, 1 April 2009

Here is one example of what probably happened in may organizations yesterday.  In a morning meeting, someone brought up concerns about the business impact if the organization’s network was infected.  Concern spread as managers and their teams began asking how the organization would function if the network became unusable.  Email messages containing recommendations and links to tools and techniques flew across the IS department.  Conficker was coming and there had to be something the organization should to do to prevent disaster.

In this case, Security stopped the rising tide of “we must do something” with a month-old risk assessment based on existing technical controls.  The organizations was as protected as it was going to get, and responses to isolated events would be handled according to documented processes.  There was nothing left to do but wait.

It is easy to question the effectiveness of existing controls when faced with impending doom.  However, a solid security strategy and a supporting controls framework based on desired business outcomes are sufficient to protect an organization from existing or emerging threats.

A layered defense, including patch and secure configuration management, should be designed to repel all threats which fall into probable attack categories.  It should also include sufficient flexibility to allow spot adjustments to react to new methods of unauthorized access to, or use of, network resources.  Using this approach, knee-jerk reactions when a new global threat seems to threaten life as we know it are eliminated, replaced by case-by-case assessments of probable attack vectors previously identified and protected.

  1. […] teaches one more lesson April 2, 2009 — Tom Olzak In an post yesterday, I wrote Conficker is more a lesson than an event.  In other words, it serves as a […]

Comments are closed.

%d bloggers like this: