I didn’t exactly run out to Toys “R” Us to buy a present when I heard that the Conficker worm was celebrating its first birthday. What we really should have done was smother the little monster in its crib when we had the chance.
This sounds violent and politically incorrect, I know, but what would any brave, self-regarding person done if they had a few moments alone with Rosemary’s Baby?
That Conficker is still with us, lurking and lying dormant for a revival at some unspecified date, says a little about the brat’s hardiness, but much more about the environmental conditions that allowed it to thrive and survive despite its universal unpopularity. One can grudgingly admire the imp’s construction and remind us that old-fashioned mass-infection viruses have not lost their virulence.
But we would be speaking of Conficker in the past tense, or the event as a scare that never really got a grip on computing infrastructures if the IT world had achieved a reasonable level of competence in three areas:
Patch and configuration management After years of Microsoft Patch Tuesday’s and universal recognition that effective patch and configuration management is a virtue that reduce security and availability risks, the vast majority of organizations still labor under inconsistent, slow, and gappy processes.
No one claims that an infrastructure with 100 percent compliance with the latest device, operating system and application configuration standards will immunize an infrastructure against all possible harms, but you’ve certainly given malware much stonier ground to put down roots.
Infrastructure visibility Viruses thrive in shadows and darkness, and how many IT organizations know what’s going in their infrastructure in anything approaching real-time? If you can see what’s going on, you can also set up alarms and gauges that can tip you off to disturbances in system behavior that indicate trouble.
From there, you have much greater opportunity to isolate and triage infected systems from healthy infrastructure until help arrives in the form of a patch, update, or new virus definition file. Visibility down to the machine level is also essential in detecting stealth attacks seeking to purloin valuable information or disable strategically important assets.
Again, there are no guarantees that perfect visibility can be established or alert you to all harms, but you significantly shift the odds in your favor if you have usable knowledge about the state of your infrastructure from individual machines up through entire estates.
Fast and thorough remediation Let’s say a new strain of malware has broken into your infrastructure and a remedy is available. How long does it take to install the remedy on all eligible machines?
How can you be sure that it will install without gaps or blind spots? How can you even know any of this to begin with? Your guiding principle should be, “What happens on day zero, should stay on day zero.” This sounds like a tall order, but not impossible for the well prepared.
No doubt about it, Conficker is an evil spawn that right-minded people find hard to defeat. But it is not blaming the victims to say that environmental factors—gappy configurations, murky visibility, and hit-or-miss remediation—have nurtured Conficker through its malevolent youth. A gram of prevention is worth a kilo of alarmed press releases from commercially self-interested anti-virus companies.