Picking at a Virus-Ridden Corpse:
Joe St Sauver, director of user services and network applications at the
University of Oregon Computing Center, has just gone through what everyone else
has: the epidemic of viruses and worms that rained down on campus networks over
the last several months.
As our guest editorialist this week, Joe has some strong opinions on why
some people got hit so hard and others didn’t. He also has some good lessons-learned.
Oh, Joe also wanted me to point out that his perspectives here do not reflect
difficulties or conditions at either his institution or any one particular institution.
They are "a synthesized view that reflects the collective higher education
Lessons from a Post-Blaster, Post-Welchia, Post-Nachi, Post Mortem
—Terry Calhoun, IT Trends Commentator, Society for College and University
Planning (SCUP), University of Michigan.
Sick of the Blaster/Lovsan, Welchia, Nachi experience? I know I am.
Let's do a brief post mortem and see what good we can glean from the latest
1. It's Windows PCs (again)
Does your campus rely on PCs running a current version of Microsoft Windows?
If so, I suspect you were hit hard. Campuses that use Macs (or Unix/Linux workstations,
or a mixture of different types of systems) experienced fewer direct problems,
although even the most innocent shouldered part of the collective burden.
Do we never learn? Just as these viruses targeted PCs running Microsoft Windows,
so have virtually all the previous ones. Time after time, infestation after
infestation, the viruses and the worms have come for the PCs running Microsoft
Windows, and time after time, the PCs running Microsoft Windows have fallen.
Given that pattern, what is surprising (at least to me), is that few universities
seem to notice this pattern, and even fewer of them "vote with their purchase
orders" in favor of more secure/less commonly attacked systems.
Does this mean that I would like all sales of Windows PCs to cease? No. What
I do want is a healthy level of operating system diversity, because in computing
(as in agriculture or a stock portfolio) diversity is key to managing risk and
2. That Perimeter Fence Sure Looked Good
Institutional firewalls are a staple security recommendation on every IT auditor's
checklist. Unfortunately, the recent viruses have illustrated just how ineffectual
they can be. Failure modes were numerous at many sites and for many reasons,
- A firewall was present, but consensus was never reached in the trenches
(or at managerial levels) on the tough rule sets that would have made a real
- Infested dialup users connected on the internal ("secure") side
of the institutional firewall (oops!)
- Laptops went home, got contaminated, and then came back to work—shiny
black and silver coughing sources of network contagion.
- VPNs tunneled right past firewall filters. VPNs which were intentionally
present, and VPNs which were intentionally unfiltered, so as to appease "those
who could not be refused."
So for those who may need a reality check, let me be blunt: the "intranet"
is dead. The inside of your institutional firewall is just like the outside
of your institutional firewall: it is all ablaze.
You (and your personal desktop workstation) may be an "intranet,"
everyone else, including your well-meaning but somewhat distracted and forgetful
(now infested) colleague in the office down the corridor, is part of that gigantic
germ-infested, petting zoo we call the global Internet.
At one point hardware firewalls were expensive and complicated: only an institution
could afford one, and only a geek could run one.
Those days are over: perfectly serviceable, personal hardware firewalls
are available now as commodity items for fifty bucks or less. They are not perfect,
but they're a heck of a lot better than nothing.
Admittedly, personal firewalls are contrary to the philosophical ideal of Internet
transparency and may choke end-to-end Internet performance, but let's get real:
most users really don't care as long as they can handle email, browse the Web
at some reasonable speed, and accomplish other mundane tasks without getting
hit by a virus.
If a particular user suddenly changes circumstances and needs to do something
exotic, a personal hardware firewall is not a tattoo: remove it and throw it
Oh, yes: if you think you can get away using just some software firewall product,
be sure to look at yearly update subscription costs, and you might also want
to talk with some of the folks who got infested during the interval of time
after their system had begun to boot, but before Windows got their software
firewall service launched.
If you're on a PC running Windows, you need a personal hardware firewall.
3. The Quality of Network Documentation; Out of
Band Access to Your Users
The recent virus infestations were also a good opportunity to review your network's
documentation. Did you have an out-of-band way to get in touch with people you
had to take "off the air?" Could you physically locate a given jack
that was emitting unacceptable traffic? Was the point of contact information
for that jack current? Most sites could use a little housekeeping attention
on their internal network documentation.
4. Network Monitoring
If your network backbone isn't instrumented in a way that will let you detect
attacks and compromised systems, maybe it's time to rethink that. You can't
run a network blind. Well, you can, but those who do were among those who suffered
the most. Here are a couple of links to sites that can help you learn more about
network intrusion detection:
We’ll hear more from Joe next week, including: how everyone’s
a system admin, but few do it well; how no one *really* takes security seriously
. . . yet; why we have to bite the bullet and license antiviral software for
students, too; and more.
Note: I guess it was the "worst of times," because I attributed the
Charles Dickens; quote in last week’s Opinion to Ernest Hemingway.
Mea culpa. Be assured that I do know the difference, having read nearly everything
either of them ever wrote, but I have had Hemingway on my mind a lot lately,
and my fingers just typed the wrong name in.