Pop quiz time. You're an IT manager at a large government agency. You discover one day that more than 2000 computers under your control are infected with dozens of spyware programs, keyloggers, and other forms of malware. Do you:
A. Blame Microsoft.
B. Hire temps and send them around to run anti-spyware software on each infected computer.
C. Begin updating your résumé quickly, before security shows up to escort you from the building.
D. Immediately implement your disaster recovery protocol, quarantining affected systems, wiping and reinstalling operating system files and applications from a clean image, restoring data from backups, and auditing your processes to ensure that this never happens again.
The correct answer is, of course:
C. You should get working on that résumé right now. If you run a business network on which 2000 computers are completely out of your control, you've proven beyond any reasonable doubt that you're unqualified for your position. (If you said D, you get partial credit. That's what your replacement should do.)
Ah, but when this pop quiz was presented to the blogosphere earlier this week, the consensus response was, naturally, A. Blame Microsoft. Don't believe me? Read the reaction to some recent remarks by Mike Danseglio, program manager in the Security Solutions group at Microsoft:
When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit. …
[For some sophisticated forms of malware,] detection is difficult, and remediation is often impossible. If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."
Danseglio tells the story of an unnamed government agency that discovered malware infestations on 2000 computers and didn't have a process in place to restore data or re-image systems quickly. "They had to develop a process real fast," he said.
Ryan Naraine of eWeek deserves credit for getting the original story exactly right. Developers of malware are getting more vicious every day, and anyone - especially an IT professional - who relies on a single layer of security for protection is asking for trouble.
That was true five years ago, and it's true today. Anyone who reads this story and thinks this is a new development has clearly never read or understood the 10 Immutable Laws of Security. Here’s law #2:
If a bad guy can alter the operating system on your computer, it's not your computer anymore
In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the computer to do certain things. Change the ones and zeroes, and it will do something different. Where are the ones and zeroes stored? Why, on the computer, right along with everything else! They're just files, and if other people who use the computer are permitted to change those files, it's "game over".
The Microsoft Security Response Center published that paper more than five years ago. (If you’ve never read it, and you have even the slightest interest in computer security, you should.) In fact, those ten laws apply to any computer system, regardless of what hardware or software you use.
The basics of effective computer security haven't changed in years: On a business network, users shouldn’t be allowed to install untrusted software. Period. If you don’t follow that basic rule, you’re going to wind up with a mess. You might be able to remove some annoying and/or hostile programs, but you will never know if a rootkit has insinuated itself onto the system because it now owns the system, not you.
And if the mess is big enough, your replacement is going to be the one who gets to clean it up.
Update 7-Apr-2006: See George Ou's comments on the same issue.
Update 10-Apr-2006: Robert X. Cringely has a particularly egregious distortion of Danseglio's remarks.