[Infowarrior] - Conficker demonstrates complexity of IT security

Richard Forno rforno at infowarrior.org
Tue Mar 31 01:29:42 UTC 2009 

Conficker demonstrates complexity of IT security
by Jon Oltsik

http://news.cnet.com/8301-1009_3-10207427-83.html?part=rss&subj=news&tag=2547-1_3-0-20

With recent coverage in The New York Times, The Washington Post, and  
60 Minutes, the sophisticated Conficker worm has become mainstream  
news. Yes, the underlying concepts may be a bit complex for John Q.  
Public, but I think this media attention is a great public service.  
Users need this type of education to better understand the risks  
associated with Internet connectivity.

Plenty of people have written detailed descriptions about what  
Conficker is, where it may have come from, and future potential  
damage. I prefer to focus on the relationship between Conficker and  
overall IT security. Given its properties, Conficker goes well beyond  
malicious code and endpoint security. In my view, the Conficker worm  
provides a microcosm of the complexity of IT security and the pressing  
need for security best practices. Here are a few examples:

    1. Conficker reinforces the link between IT security and  
operations. Organizations with strong asset, configuration, and patch  
management processes were probably able to patch vulnerable systems  
before Conficker first appeared in November 2008.

    2. Conficker demonstrates the need for device authentication and  
port blocking. Conficker uses USB flash drives as a means for  
propagation. This should serve as a wake-up call to security  
professionals that USB drives can act as a modern-day "sneakernet" for  
spreading malicious code or stealing confidential data. Addressing  
these threats means limiting USB access to authorized drives (through  
means like the IEEE 1667 standard) while filtering all traffic that  
flows to or from USB drives.

    3. Conficker contains a password-cracking program that can break  
simple passwords like "1234" or "password." This demonstrates the need  
for strong password enforcement, password management, and even  
multifactor authentication.

    4. Finally, Conficker is an extremely aggressive worm that looks  
for open file shares on the network to create yet another propagation  
method. Detecting this activity demands network traffic analysis and  
an understanding of normal versus analogous behavior.

It would be easy to simply blame Microsoft for Conficker since the  
worm exploits an operating system vulnerability. But to me, doing so  
would be a cop-out. In truth, Conficker exploits a number of  
technology, process, and human vulnerabilities. In my humble opinion,  
this is what makes it so dangerous.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is  
not an employee of CNET.

More information about the Infowarrior mailing list