Sunday, 09 May 2004

German police arrested the 18-year-old author of the Sasser virus. Apparently he also confessed to authoring other viruses, including NetSky.

Which is good. But not amazing. For the most part, the bad guys eventually get caught.

What amazes me is the fact that so many companies and government agencies were actually shut down by the Sasser worm. A friend of mine who works for a government agency called me tonight to tell me that last week the city, county and related agencies where he works were shut down by the worm.

My response: “WHAT?!?!?!!?!?” The departments that were shut down in my friend's account of the situation included public safety departments and a fire/police dispatch center among others... No small potatoes when you consider how critical it is that things just need to work. Maybe someone needs to lose his or her job.

Good vs. Bad, or “Dude, that's pretty extreme.”

I'm serious - this one was so easy to avoid, there's simply no excuse for having a problem. I can think of one only reason any company or agency would be affected, and come to think of it, it's a problem rampant the world over.

Sadly, some IT professionals aren't - well - they're just not very professional.

So, here's an important message for companies and agencies employing lazy IT staff: If they don't prevent the outbreaks, they're not doing their jobs. The mark of a good IT crew is not that they respond to a virus outbreak and make everyone feel good that they're able to disinfect computers and (hopefully) go to tape backups to restore ruined data. The good IT crew is not the one that tells you it will take two to three days to recover, and then “delivers” in one day.

So what, then, makes for a good IT crew? And how do you know if you have one? It's very simple: While everyone else is freaking out about viruses and other threats, your company is still operating and you're not really too concerned, because your company just doesn't ever have many network security issues. Besides, if there was going to be a problem, you would have heard about it from the IT crew by now. In other words, things just work, problems are prevented, work doesn't stop, and you don't have to worry. That's what a good IT crew does for you.

An Ounce of Prevention Is Worth Big $$$

Believe it or not, I'm not supposed to be an exterminator. My job is to make sure the virus outbreak never happens in the first place, and the people who work in my department share in that responsibility. Ultimately, I am the one responsible (and held accountable) for network and data integrity when it comes to viruses and intrusions, but we all take a significant amount of pride in making sure problems never get a chance to occur.

What many may not realize is that it's actually pretty easy to do. In fact, it's a lot less work to prevent the problems than it is to react to them after they occur. Keeping a problem from happening is akin to preventing a cancer from ever growing; You can be so much more confident, and if the ability to prevent is there, it's simply negligent to assume the reactive posture. The removal of a cancer is painful, time consuming and expensive. Worse yet, you almost always have to wonder if you got it all, if it will ever resurface, and what the result will be when it does.

To be perfectly clear about where I'm going with this: I believe that organizations need to adopt a zero-tolerance policy toward avoidable downtime. Virus outbreaks should be very few, very far between, and extremely isolated in scope. If a virus infects an entire network, something is not being done correctly. If data is lost and can't be recovered, there's simply no excuse.

Kick Me If You Like, But I Know I'm Right

Some who work in the IT field will read this and be upset with me. Am I really telling people like my boss to fire their employees if they can't prevent the problems from happening?

Yes, in a matter of speaking I am. After all, if I can't (or rather “won't,” since pretty much anyone can) protect the company from internal and external threats, I am not doing my job and my boss needs to find someone who can (and will). While there are occasional threats that cannot be prevented, he knows that those are so rare that he'll know when the exception to the rule occurs.

IT professionals around the world, regardless of the organization's size or business, should hold themselves to this standard. If you're an employer, you're responsible for maintaining or hiring people who meet the standard.

We no longer live in a world where the guy your neighbor knows who “works in computers” is sufficient for a professional IT job. Even the interns I hire require a special skill and work ethic that's hard to find. High standards make for quality work and results, and I think that's the way it should be. To expect less in this day and age is to neglect the needs of the real world of IT.

It's Bigger Than Just Your Organization

By the way - when the people responsible to do the prevention at your organizations fail in their duties, who do you think those failures impact? It's not just your employees and customers. The nature of the Internet is that your failure will almost certainly impact many organizations outside of you own. That's what virus writers count on, that the poorly-designed and -managed networks of the world won't be proactively managed, and that employers who don't know the difference won't do anything about it.

If you're the employer and you can't for the life of you determine whether your IT employees know how to do their jobs, here's your best clue: They probably don't. It's one of those things where you know if they're doing their jobs. How? It's a dangerous world we work in; If they are not educating you and keeping you aware, they're not doing their jobs.

For the Record - Bad Employers Are Part of the Problem

Before I finish, I should say that I realize the world is not black-and-white, that there are many aspects of operational IT work that can put a very good and responsible IT professional in a position where he or she is doomed to fail. There are times when, despite the best efforts of the individual, the budget or company priorities actually prevent you from doing good security. I only see two options for you there: One is to make them aware, change the outlook and attitude, and failing that the second option is to find a place to work that will leverage your skills and and fits your priorities.

Line In The Sand

So, here's the challenge: I think that anyone responsible for day-to-day IT security who walks away from these words upset that I'd adopt this position probably needs to take a look at why they're upset. Seems to me if one does one's job, there's nothing there to be upset about.

Anyhow, that's what I think. It's a little more black and white in writing than in real-world practice, but I've read and re-read my words, and I'm good with them. This started out to be a short post about the 18-year-old kid who wrote a computer worm. It ended up becoming a bit of a rant about what really matters to my employer. Catching this kid doesn't mean less viruses and worms - We still have a job to do, and it's just getting more and more complicated as time goes on.

And since all good blog entries should include a question, tell me: What do you think? Click the comments link and talk back if you're so inclined. I could be wrong, you know. ;-)

Add/Read: Comments [1]
IT Security | Tech
Tuesday, 11 May 2004 08:35:55 (Pacific Standard Time, UTC-08:00)
I've been saying this for years.
Comments are closed.