Negligence Abets Slammer Attack

The SQL Slammer worm offers IT and vendors a harsh lesson in the perils of negligence.

When a threat "is permitted to fully and suddenly emerge, all actions, all words and all recriminations ... come too late." So said President Bush in his State of the Union speech at the end of last month, in words that might well have been aimed straight at the IT community as it dug itself out from under the debris of the SQL Slammer worm.

In that weekend attack on worldwide network resources, our community saw shocking demonstrations of what had previously been hypothetical hazards. It saw a major banks ATM network unable to serve many customers after an attack arrived on the public network and exploited a known vulnerability.

It doesnt matter whether this was an act of technical malpractice or merely—if thats the word—an unfortunate oversight. Customers were depending on that network to provide the service needed to handle emergencies—or even just to get through an ordinary day.

Our purpose in the pursuit of system security "is more than to follow a process," to borrow again from the presidents words. "It is to achieve a result." It is not enough for an IT provider—in this case Microsoft—to satisfy form by acknowledging a problem or by going through the motions of describing a response. And it is particularly unacceptable if the countermeasure is too cumbersome for even the vendors own IT staff to deploy.

In the days that followed the Slammer attack, Microsoft repackaged its remedy for the corresponding vulnerability of its products in a far more conveniently administered form. This could have been done—and should have been done—last summer as part of the companys initial response to meeting its obligations to its customers and to its customers end users.

In the failure to close the door to the Slammer attack before it arrived, IT departments also saw the reflection of their own short-staffing and reluctance to invest in needed training or other professional services. Slammer was another wake-up call, but how many wake-up calls do we need?

"Trusting in the sanity and restraint" of potential attackers, to close with one final quotation from the presidents speech, "is not a strategy, and it is not an option."