Patching and updating your system pays off in the long run. But laziness pays off now.
Everything will go black for as many as 300,000 computers on Monday. But sadly, we’re in for many more dark days. Why? Because people have freedom on the Internet. In this case, they had the freedom to choose not to patch their systems. And they exercised it.
Internet will vanish Monday for 300,000
As much as I dislike the term “ecosystem” to describe anything other than biological phenomena, it is a pretty accurate analogy to use for the Internet. Introduce a foreign entity into it and the natural balance gets out of whack. Just like when an aquarium hobbyist get bored of his vicious piranhas and decides to release them in a Florida river, networks are inevitably compromised by a small percentage of careless users who introduce risk for everyone else.
From my conversations with vendors and security analysts, there is an overwhelming consensus that one of the worst things you can do when it comes to enterprise security is to trust the user. With BYOD, for example, you have to make policies that operate like laws of nature — inviolable — as opposed to the type we have in our judicial system.
On a network, users need to be presumed guilty.
The problem is, of course, that it’s impossible to compel companies themselves to get their houses in order. You can warn, you can recommend, you can beg. But that’s about it.
Alex Kirk, a senior researcher with Sourcefire Inc.’s vulnerability research team, points out that even some of the world’s largest companies had neglected to wipe the DNS changer malware off their systems, despite the fact that “every security expert on the planet has been trumpeting from the rooftops that you need to go clean this thing off for months.”
“I think that tells you everything you need to know about the state of enterprise security out there in the wild. There are definitely places that get it right and there are companies that really know what they’re doing. But there are so many other small businesses, even larger businesses, that just don’t have a focus on IT security, and it really comes and bites them in the end.”
But even if it doesn’t bite you, it will most certainly take a chunk out of someone else. As Stephen Percaballi, security practice lead Softchoice Corp., puts it, “we all share, collectively, the responsibilities of the Internet.”
For example, just look at it from the perspective of the organizations that are taking responsibility for securing your personal data, he says.
“Somebody pays. It’s not always the user. We’ve seen over the last five six years that the banks have really been appearing to cough up the bill when someone steals your credit card and goes and buys five TVs, because they know it wasn’t you,” he says. “The insurance companies, or the banks, or the government…somebody’s paying for it.”
There’s really no special advice any security expert can give your company to prevent a similar DNS disaster from happening again. We’re all in this fight against malware together, but even the best advice and the best technology can’t replace common sense.