Re: The Morris worm to Nimda, how little we've learned or gained

[Michael Brennen <mbrennen () fni com>]

On Sun, 13 Jan 2002, R. DuFresne wrote:

> On Sat, 12 Jan 2002, Michael Brennen wrote:
>
> > There have been many such catalysts this past year to alert people
> > that their networks and data are at very high risk.  If Code Red,
> > Nimda and such don't fit the profile you describe above, what event
> > would you expect to be sufficient to do so?  The McAfee office in
> > Dallas was down for at least a day and a half in Dallas when Nimda
> > hit; that was one office.  If such a breach isn't sufficient to get
> > the attention of management, what is?  If Microsoft's network being
> > penetrated, which was fairly widely known, isn't sufficient signal
> > to companies running the same software that the same could happen to
> > them, what would be?  If the FBI's data being randomly mailed around
> > doesn't scare someone that it could happen to their own data, what
> > will it take to sink in?
>
> I think the person you reply to means something so totally
> catastrophic that it takes down like all the core name servers
> or a whole gov network or many many systems, soething o par with
> the 9/11/01 twin towers attack in NY.  I could have read him
> wrong, but, I think he's talking on that scale.  And it is a
> shame, being all the 'signals' you mention that have been there
> for sure.

This is where IMO the 9-11 analogy breaks down.  The shock of 9-11
is personal vulnerability where none was perceived before.  It is
because of that new awareness of immediate personal vulnerability
that people are willing to accept and even welcome security measures
now that they would not have tolerated before.

In my experience with users of various Internet services, most see
the Internet as an amorphous blob.  If a peering point router goes
down or if a major fiber cut happens today, that is 'somewhere out
there'.  Apart from the brief interruption of life as we have come
to know it, such events are not a direct personal threat.

If the root servers were all taken out, or a massive worm was
unleashed against Cisco BGP routers and the Internet ground to a
halt, that is still in the 'out there somewhere' blob.  Yes, they
might have to revert to communication methods of a few years ago,
but we are not so far from that that we could not do so.  Most have
functional businesses behind their .com, and a massive Internet
failure, though perhaps highly disruptive, still does not have the
same level of direct personal threat because their networks stay up
and their desktop machines can still get to the internal network
server.

The closest I think we've seen yet to an Internet 9-11 is Nimda.
The reason that we don't broadly see it that way is that Nimda's
payload didn't obliterate the machines it infected.  The signs are
all there, but we haven't yet understood yet what could have
happened.  I think to most users, Nimda was just another in a long
history of nuisance viruses.  That most were able to recover from it
and keep running perpetuates the deceptive assumption that the next
one will be recoverable as well.

Working on the premise that the message of 9-11 is a new awareness
of direct personal vulnerability where none was perceived before, I
fear that most users will only get the same effective shock when
they suddenly realize that the next worm could leave a trail of
formatted hard drives inside their own office.

   -- Michael

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards