So here we are again, a couple of days post-Conficker Armageddon and some people are feeling like they missed the party. No one has said it yet but I can already see it in some eyes, "Looks like another over-blown security event, hyped by the media and exploited by the security guys." Really? It's the old circular question, "did Conficker just not live up to it's hype or did all of the attention we gave it mitigate what might have happened?" Just like police who see a drop in crime after adding more officers, we always seem to be answering this question after we focus in on specific problems like this.
So, did all of the media hoopla and our own internal advisories, coercion and hard work to make sure our systems were patched help us dodge the Conficker bullet? Just like Y2K, we'll probably never know for sure but you know, I don't think it matters. Sure we had people scurrying around for a couple weeks but I'll bet all of our systems are in a little better condition now and we probably learned a few things about our IT environment that we wouldn't have ever known. Here's a crude analogy. In the Navy, when leadership starts noticing an increase in accidents or trends in work-related mistakes spike up, they often call for a "Safety Stand-down" where entire commands, an in some cases the entire Navy, takes a day or a ½ day to stop all regular work and regroup, focus, get some training and address whatever the major problem seems to be. Well, I'm choosing to treat Conficker as a "Safety Stand-down." We'll be gathering some metrics over the next few weeks that will hopefully help tell a good story.
I spoke with a few CIO's and CISO's yesterday who did take Conficker seriously and they certainly didn't feel like they wasted time. In fact, a couple of them felt like they and their folks were better off because of the drills they went through to make sure their systems were clean and healthy.
We're not even close to declaring victory because there are still millions of Conficker infected computers out there ready to use your networks for their botnet purposes. More importantly, all evidence points to the fact that the Conficker writers are very good and we still don't know the end game. Some experts expect to see additional variants that are even more difficult to patch and remove.
For today, I'm happy to have avoided a Conficker melt-down on April Fools Day but we plan to stay vigilant and keep our shields up. Maybe it's a good time to give your folks a pat on the back and tell them "job well done!"
My concern with the media hype is that it may have the opposite affect, causing people to believe that Conficker and similar attacks are not a threat. The people behind Conficker have invested too much time and money to let it go. To them, it's about money, not notoriety.
It is also clear that antivirus vendors cannot keep up with the number and sophistication of the attacks; the list of "secure" and PCI-compliant organizations that have been breached only gets longer, including the State of Vermont just last week. This will be an ongoing battle until organizations not just publish but *enforce* their internal policies for which applications can run. Instead of counting on the antivirus vendors to catch everything, why not restrict what runs to only those executables that are approved, and deny all others?