Laziness and ineptitude let the Blaster worm win

My friend sighed in frustration. The MSBlaster worm had landed on her computer within a couple of hours of its release into the wild. Now her computer was randomly shutting down. She was frustrated because, as an employee of a major corporation, her IT department supposedly made sure her copy of Windows was kept updated and therefore free of any chance of such things happening.

Adding to her frustration, the same IT department had never actually provided any kind of firewall for her computer. Normally, this wouldn’t matter if she were behind a corporate firewall, but like a growing number of corporate workers, she works from home, and there’s no corporate firewall at her house. So my friend was vulnerable, and she got hit almost instantly.

The reason for the lack of a firewall (even something simple such as Zone Alarm from Zone Labs would have protected her) was simply because no one thought about it. This necessary security item just never rose to a significant level on anyone’s priority scale, so the firewall software was never purchased.

The Windows update problem is where laziness and ineptitude play a major role. In my friend’s case, the outsourced IT support staff had installed an agent that was supposed to handle updates to Windows (among other things) automatically. Problem is, they didn’t actually check to see if it worked — and it didn’t because they had set it up wrong. So for months, no updates of any kind took place.

The result was inevitable. First chance this worm had, it implanted itself into my friend’s computer. And, of course, because my friend accessed her corporate enterprise using a VPN, she was effectively inside her corporate firewall as soon as she connected, opening up her company to the worm despite the firewall. In other words, the company’s security was penetrated by a computer that was outside the firewall in some ways and inside the firewall in others. The only thing that saved the company from an infection inside the firewall was the constant computer restarts that kept my friend busy trying to solve the problem instead of doing her work.

But you can’t assume that it’s only those who work from home who have had problems with this worm. Here in the D.C. area, for example, the Maryland Motor Vehicle Administration shut down statewide at noon on the day after the worm appeared and remains shut down as this is written. Likewise, the U.S. Department of Homeland Security announced that the federal government was affected, but as you’d imagine, wouldn’t say how badly or in which agencies.

The lesson to every IT department should be obvious, but I’ll state it here anyway. Just because you have proper security policies in place doesn’t mean they’re being carried out. Security requires constant vigilance, and this is true whether your IT staff belongs to you or whether it’s farmed out to an IT services provider: You’re never as safe as you think you are.

In this case, a very serious problem was averted only narrowly. If the worm hadn’t caused my friend’s computer or the computers of the other employees of the same company to behave badly, the worm would have surely spread inside what was supposed to be a protected enterprise. As it was, the company spent hundreds of dollars in support costs because it lacked a software firewall costing only a few dollars and motivation from a vendor who didn’t quite do the job it was being paid to do. Seems like a bad trade-off to me.