Unless this week you never read the news, either in print or on the Internet, and you don't watch TV then you must have heard of sasser, the terrible Internet worm which is going to end civilisation as we know it.
It has been a phenomenal start of the week for the various news agencies, all falling over each other to try and find quotable quotes and disaster-struck companies to cite in their "end of the world" articles.
The lack of understanding of what sasser is and why it spreads has meant that nobody actually focused on the fact that this alleged disaster could have been avoided by pretty much every large company admitting to being hit with a modicum of effort and planning.
The reader could be forgiven for assuming that this will turn into yet another "timely patching is essential" article but would be mistaken. It is not patching that solves the sasser problem but appropriate network design.
Let us assume that all the companies cited in the BBC's article were real victims of sasser (I have no independent means of verification), if they weren't then they can serve as useful examples nonetheless.
Let us begin with a Finnish financial institution, Sampo, which allegedly closed 130 branches due to the sasser outbreak. The very first question you should ask yourselves is "how on Earth did the worm get to the branches?" followed closely by "surely they are not connected to the Internet?" followed by inevitable dispair. How can a financial instution possibly allow a cash-handling system to be connected to the Internet even via firewalls?
Alternatively, if the systems are not connected to the Internet, how did the worm spread? Well, the only possibility is that an infected system was placed on the same LAN because, suprisingly enough to some people, Internet worms can't jump out of one machine and magically appear onto another without them being connected. At which point the next question is "surely you can't just plug in any old system on the branch network?" and the answer to that can only be a resounding "yes" to explain the spread on their internal network.
The above example has nothing to do with Microsoft, patching or worms and everything to do with atrocious security policies. If you are a financial institution then your primary concern should be the preservation of the integrity of the network handling financial transactions not making sure that your employees at branches can read their Yahoo! mail or surf the web.
Are they alone? No, according to an article on the italian newspaper "La Repubblica", the italian Home Office ("Ministero dell' Interno") was affected. Of course we don't know the details: it could have been external hosts only (although their website is running Apache, normally a good sign) but still the fact that they were affected at all is not impressive. This is the ministry which controls the police force in Italy. Or what about Dubai International Airport? Australian Railways? Goldman Sachs? Deutsche Post and Taiwan's national post office reverting to pen and paper?
This is pure madness: how can a worm which spreads from the Internet and via the Internet possibly shut down the whole national post office network with branches reverting to pen and paper? There is only one answer: incompetence at the highest level.
Allow me to give an extreme example in the opposite direction: a friend of mine used to work for a bank in the City of London. This bank had a very simple policy: thou shalt not have physical access to anything connected to the network. If you wanted your Palm synchronisation program installed they would take your sync cable, bolt it to the machine, install the software and return it to you. If you wanted access to the corporate network from home they would install a leased line and an office-standard locked-down system. By locked down I mean: no floppy, no CD-ROM, ports at the back bolted and locked, case under lock and key. So yes, it is very expensive but they knew that there was no trivial way that someone could bring a worm into their network.
So it can be done at some expense but how much did a day of virtual shutdown cost to the affected companies, not to mention the public relations disaster?
Posted by arrigo at May 4, 2004 11:01 PM