• United States



Body Slam

Mar 01, 20033 mins
CSO and CISOData and Information Security

You could tell that the SQL Slammer infestation was a biggie just by the volume of self-congratulatory e-mail from vendors claiming to have the problem licked. When people start yelling that everything is under control, that’s when you start to worry. Informal polling around our offices reveals a volume of Slammer-related messages vastly higher than that which followed earlier viral or vermicular outbreaks. Must have been a lot of folks caught unprepared for this one.

In downtown Boston there’s an apartment complex with a famous sign outside, facing one of Beantown’s many traffic bottlenecks. The sign reads, “If you lived here, you’d be home now.” Much of the e-mail regarding the SQL Slammer worm was roughly in that vein: “If you had used MonkeyMax DMZ, you wouldn’t have had any Slammer issues!” But the truth is a little weirder than the lack of MonkeyMax DMZ (for those eager to get some, I made it up). The vulnerability was well-known, and the patch to fix it has been widely available since last summer, when Microsoft released it along with a critical security bulletin. The half million or so vulnerable servers were found in enterprises where somebody hadn’t gotten around to applying the patch. What could explain this?

At first blush, one might conclude that the sign should instead read: “If you weren’t such a worthless dope, you wouldn’t have had any Slammer issues!”

Much of the semiflaming Slammer debate, as seen in postings on various websites, pitted people who reject Microsoft and all its allegedly invidious works against those who think network admins (or anyone else who’s handy to be blamed) are lazy dogs who ought to show a lot more attention to detail. Amid the charges and countercharges are some undeniable gray-scale realities. The patch, it turns out, is somewhat harder and less convenient to install than its Band-Aidy name would imply. It can require taking a (sometimes mission-critical) system offline for hours and can interact badly with applications that haven’t been updated to accommodate it. So laziness is not quite the right characterization of those responsible for the afflicted servers. For those facing the need to prioritize investments of time and effort (some leading to considerable inconvenience for users and businesses), gambling becomes one of the tools of the trade. Naturally, snake eyes can sometimes be the result.

In the Shoemaker’s Barefoot Children Dept., even Microsoft’s own internal network had servers getting whacked by the worm. The irony of this must be delicious for combatants on both sides of the issue. But if Microsoft can’t get its own act together with respect to the patch application, how can the company credibly level its finger at the legions of similarly ill-prepared customers?

In a world in which nearly every single piece of technology is complicated, most networked environmentsconsisting of many thousands of single pieces, often oddly matched and haphazardly assembledare so byzantine as to defy all reasonable efforts to keep up with maintenance and repair. SQL Slammer is a fresh reminder that to gamble on risk is to flirt with disaster. CSOs who are not now entirely comfortable with the policies and procedures their enterprises follow in applying and testing the patch should quickly remediate this area of risk.