O O Ø O O O O
What a Blast!
The walls of Jericho weren't that great, either.
I'm sitting merrily typing away on some material for a presentation that is due in five minutes and this big 'ole window pops up. It's emblazoned with the logos of my company and the POS company it uses to run our Information Services group. There is no minimize or close button on the window, just a bunch of text en anglais puis en français with a button marked “OK, REBOOT!” underneath. I'm in no mood to read the text and I certainly don't want to reboot, but the damn window won't go away.
I knew what this window was for before I started reading the descriptive text, and anyone who regularly reads the newspaper or watches newscasts could probably guess what it was about. The text in said window expounded on the dangers of the W32.Blaster.Worm that was going around, and informed me that it was actually an installation script in disguise. This installation script was really quite a marvellous thing because it was going to install a patch that would make my laptop a blast-free zone and save me from the perils that had been set amok inside our corporate network.
Oh, and I must do this now, because it's very important.
The problem I saw was that I received this little present today, a week after several portions of our network (and Windows workstations) had been rendered inoperable by said worm, and several days since our corporate security group sent an advisory asking anyone with admin rights to patch their machines. I had already patched my laptop a month ago, so this was more of an annoyance, since booting my company's version of a workstation takes over eight minutes. Not to worry though, because the note explained the process would only take five to ten minutes, which meant I'd only be two to seven minutes late with my presentation. Oh, and I must do this now, because it's very important.
Adding a small dose of reality leads me to believe that it was important a week ago when workstations were dropping like flies, /. had a two-link how-to-fix-it headline, and I was instructing friends and family on how to rid themselves of the little gremlin that was trying to shut their PC's down and infect others. It was important four... fucking... weeks ago when Microsoft first released the patch that everyone is scrambling to apply now that someone has created a working exploit and released it into the wild. It was important before it became a problem. Unfortunately, the folks who are responsible for ensuring our LAN environment felt that it was about as important as Gary Coleman announcing his candidacy for the Governor of California. Too bad it turned out to be important enough that it turned half of our Québec office into the equivalent of Highway 101 in the morning.
Muttering oaths involving monkeys and anal sex, I move the window out of the way, finish my work on my slides, and send the saved presentation on its merry way towards the City of Mel. Following my send-off, I clicked “OK, REBOOT!” and waited for the aliens laying a can of whoop-ass on the White House scene to play out. Not surprisingly, the installation script didn't even bother to to check if the workstation was already patched (it was), and rebooted my laptop after the failed install attempt (I checked the order by looking at the logs, and it did reboot just for the hell of it). I then went for a decaf because I knew my laptop was out of commission for the next fifteen minutes (actual time: thirteen minutes, forty seconds to reboot and bring my desktop back after logging in).
I am so sick and tired of incompetent systems and network administration. With the number of virus and worm attacks over the past two years, there is absolutely no excuse for not being prepared for a known vulnerability. Well, there's one excuse, and that is if the sysadmin was getting laid that day, but we all know the likelihood of that. If you run a Windows-based network, it stands to reason you would monitor the Windows site for updates, and apply them as necessary. After all, you spent a gazillion dollars on Tivoli software that allows you to manage my workstation and prevent bad things from happening by proactively updating my system. I mean, gosh, if a Marketing dweeb can update his system before it gets burned, it stands to reason the head geek what's in charge can, too.
Unfortunately, for some reason they seem to like to sneak a peek at me surfing sports sites and IGN instead, and as a result things go “boom”.
Well, there's one excuse, and that is if the sysadmin was getting laid that day, but we all know the likelihood of that...
I don't blame the personnel within the contracted sysadmin groups, because they really don't have a clue what they're doing when it comes to security. Most of the places that hire them are body shops that look for an MCSE, and then give them the keys to the joint without checking any credentials. They're billed out at $1 500.00/day, and are expected to repair the PC of the sales rep who installed Kazaa Light “by accident” as well as create and enforce security policy on network use. It makes about as much sense as Jean Chretien setting economic policy—and we all know how well that's worked out.
I do expect the powers-that-be who contract out the systems management services to ride herd over those contracted resources. This means setting policy and articulating how that policy will be enforced, making full use of all the tools available. It's pretty stupid that any company would put that much trust into a contractor, but that seems to be the way things work in a lot of places.
IS relies on products to keep us safe from the wild, wild, environment that is the mixture of public and private networks. They use anti-virus software to cleanse the workstation, intrusion detection systems to overload the Remedy systems with portscan alarms (while maybe letting them know that shit is going down), and that great defender of all things network-connected, firewalls to keep us safe from everything floating around out there (which unfortunately don't work so well if breached or if attacks commence from within). For whatever reason they have a habit of putting the product in, then getting sloppy as time goes on, which leads to very bad things.
An internal attack is precisely what happened when some dumbfuck used their company laptop to access the net in the raw (sans client firewall protection, because the damn thing segfaults and dies on startup), gets hosed, and then uses their VPN software to check their friggin' email and lets the worm loose inside the walls. Cue the cascade, watch a big chunk of the network die, and a whole lotta people from the company that shall remain nameless say “tee-hee... oops!” when things go tits-up.
I want the right people in place to guard the infrastructure, and to be pro-active, not reactive. I'm looking at the CIO and/or COO when I say this. You have to set the policies, and the technology folk have to implement and enforce them.
Security is a multi-layered beast. The network must be protected from all angles, and should treat anything that comes into contact with it as hostile. The network isn't just the data conduits, it's the printers, hosts, PDAs, and other devices that ride it. It has consideral value, which is sometimes hard to quantify because it is so often taken for granted. You must fortify it like you'd fortify any community; putting locks on every house and building instead of a wall around the city. You trust no one completely, and test the strengths of your defenses on an ongoing basis, reacting to changes in the environment before they can grab you by the boo-boo. You stay vigilant, because if you fall asleep, things have a tendancy to get broken.
Ensure the network is protected to the same degree you'd protect anything that's valuable to you. You don't leave the front door to your house open, do you? I hope to dog you can see the analogy I am subtly imprinting on your forehead with my hammer and wet noodle. If you cannot see through my clever analogy, this means apply patches when vulnerabilities are released, not after all the horses have all died in the burning barn (yay mixed metaphors!). I'm quite happy to reboot and apply patches when I first login a month before serious doo-doo goes down, not anywhere near as happy to do so when it's the middle of the day and you figure out that you should have patched a month ago, so it's best to do it now-now-now.
Make it go, make it go fast. You are smart, you will make it go.
Monitor the advisories, and stay pro-active with preventative maintenance. Protect me from myself and, more importantly, the idiots who click on .pif attachments and network administrators who still believe—despite several examples to the contrary—that we're safe because we have firewalls. Fix the potential problem before it manifests itself into a problem. Do the job that you are contracted to do, and don't keep closing the door after everyone has left the building. Don't give me excuses about having more to do and less resources to do it with, you promised you'd keep me safe. Make it go, make it go fast. You are smart, you will make it go.
Ohh... and for Christ sakes, don't reboot my fucking machine in the middle of the day when I have shit due five minutes hence, especially when I already did your job for you. It really, really pisses me off, and could lead to a letter to your numb-nutted president, or some strategically placed pr0n on your net. That or a piece that bitches about you for all to see...
Tuesday, Aug 19, 2003
PD DCXIII