What can IT people learn from your experience?
The network was infected because the company was running an unpatched version
of Symantec’s antivirus software. There was a patch for the vulnerability
that infected this computer, but this company’s IT staff didn't apply
that patch and roll it out. The bot came in via a notebook that was used offsite,
probably connected to someone’s home DSL and unprotected by a firewall,
and brought back into the corporation. So the lessons are, convince users who
take data offsite to be more careful and vigilant, and make patch management
a priority. An unpatched system is like a wide-open door. You’d fix a
broken outside door in your home, and you need to treat your corporate assets—and
whatever’s protecting you from malware—the same.
An IT person needs to know what's happening on his network. You have to get
a protocol analyzer, and you've got to learn what the protocols are and how
they work. And you've got to learn enough so that you can recognize the kinds
of things that aren't good. That was one of the reasons for the Webcast that
I did for Microsoft on the art of debugging, using a network sniffer to isolate
problems. (For more information, see "TechNet Webcast: The Art of Network
Debugging (Level 200)," May 15, 2007, at http://www.microsoft.com/events/webcasts/library/200705.mspx.)
Once you see these kinds of things and see what's out there, the world kind
of opens up, and you’re thinking, "Wow, I had no idea that's how
that happened."
You can diagnose a lot of problems by watching that network traffic. You can
tell whether the problem is something local to a system or something happening
over the network. If you're going to debug or figure out what's going on or
design a system that relies on more than one of these components, you've got
to have knowledge that spans those components. The network is usually what spans
them. In this industry, if you're not learning, you are falling behind very
quickly. I don't want to fall behind. I want to keep growing, and keep learning,
and keep doing new things.
Have you found that companies are doing a good job with
their network security, or is this a deficiency?
We do what we know we need to do most of the time, but we're not diligent or
vigilant about it, because there are always other fires to put out. Security
is about spending money and effort and time to make sure nothing happens. How
much should a company spend on its internal security? Where's the magic line
where you've spent enough to make sure nothing happens? How do you convince
the CFOs who don't understand the level of vulnerability that's there? How do
you get them to say, "You know what, this is a good investment. We should
spend it"? How do you get them to spend money to make sure that nothing
happens?