With recent coverage in The New York Times, The Washington Post, and 60 Minutes, the sophisticated Conficker worm has become mainstream news. Yes, the underlying concepts may be a bit complex for John Q. Public, but I think this media attention is a great public service. Users need this type of education to better understand the risks associated with Internet connectivity.
Plenty of people have written detailed descriptions about what Conficker is, where it may have come from, and future potential damage. I prefer to focus on the relationship between Conficker and overall IT security. Given its properties, Conficker goes well beyond malicious code and endpoint security. In my view, the Conficker worm provides a microcosm of the complexity of IT security and the pressing need for security best practices. Here are a few examples:
- Conficker reinforces the link between IT security and operations. Organizations with strong asset, configuration, and patch management processes were probably able to patch vulnerable systems before Conficker first appeared in November 2008.
- Conficker demonstrates the need for device authentication and port blocking. Conficker uses USB flash drives as a means for propagation. This should serve as a wake-up call to security professionals that USB drives can act as a modern-day "sneakernet" for spreading malicious code or stealing confidential data. Addressing these threats means limiting USB access to authorized drives (through means like the IEEE 1667 standard) while filtering all traffic that flows to or from USB drives.
- Conficker contains a password-cracking program that can break simple passwords like "1234" or "password." This demonstrates the need for strong password enforcement, password management, and even multifactor authentication.
- Finally, Conficker is an extremely aggressive worm that looks for open file shares on the network to create yet another propagation method. Detecting this activity demands network traffic analysis and an understanding of normal versus anomalous behavior.
It would be easy to simply blame Microsoft for Conficker since the worm exploits an operating system vulnerability. But to me, doing so would be a cop-out. In truth, Conficker exploits a number of technology, process, and human vulnerabilities. In my humble opinion, this is what makes it so dangerous.