It's time for all of us to take a deep breath and chill the heck out. Code Red, my friends, is not that big a deal. Well, at least not yet.
Let's look at the facts. Code Red invades Microsoft Internet Information Services Web servers running on Windows NT or 2000, and then uses that server to begin scanning for more vulnerable machines, and the cycle continues. The first version defaces the Web site, while the two variants floating out there do not.
Is this serious? You bet it is. Is anybody going to lose any sleep over it? Probably not. Why the government is making such a big deal about it, I haven't a clue.
Folks, this really isn't a big deal. In fact, most of the vulnerable Web servers out there today are already infected with at least one version of the worm.
The only thing that scares me about Code Red is what it represents: the continued apathy in the IT community concerning the continuous patching and updating of their resources. Certainly the one needing the most Band-Aids is Microsoft's infamous Web server, which has more cracks than the alleyways behind my Brooklyn apartment.
For those of you who haven't heard, the vulnerability, as well as Microsoft's patch, was announced over a month ago! If everyone took the time once in a while to check the latest updates, we wouldn't ever have to worry about this.
Just for the record, this isn't a knock on systems administrators, whose job is one I don't envy in the slightest. In most cases, sysadmins are so swamped and under-staffed that virus updates and server patches drop immediately down the priority list. It's the "C-level" suit's responsibility to set the priority list from the beginning.
If this function is not a priority for you, may I suggest the numerous services out there from folks like ISS, AtomicTangerine, Vigilinx, iDefense, and a bunch more I'm probably forgetting, who can provide you with one of two things. Either they'll collect all the latest data about viruses, vulnerabilities and system patches pertinent to your operation and forward it to you in a daily e-mail so you can fix the systems yourself. Or, they'll take the less passive approach of completely hosting your security operation and take care of the patches themselves.
It used to be it was your responsibility to take care of this stuff because you were supposed to be a good "Netizen." Obviously, that concept never permeated throughout, so the industry has had to take the next step: taking you to court. The new fad in this wacky world of Internet law, is suing someone who's directly responsible for sending a virus, worm, or some other intrusion your way because they didn't properly update their systems.
I think that's the best idea so far. If you can't take care of security yourself, and you can't give it over to someone who will, then you become liable to those you harm because of your pure negligence.