There’s a notion out there that the threat of cyber-terrorism is somehow threatening the Internet itself. If you follow the mainstream media, you are regularly told about threats that make the Web sound like it’s a fragile flower, clinging to dear life.
News about the U.S. government anti-terrorism strategies only increases confusion in some quarters. It would help if more people focused on the facts, instead of theories.
The most recent attack to highlight the scare was the SQL Slammer. It was a worm that sought out databases running MS SQL Server 2000. The motive behind the attack is not clear but its behavior was straightforward: it crawled around the Web, seeking out public Web sites running unprotected copies of MS SQL. When it found one, the worm attempted to paralyze the server with a flood of requests. The worm doesn’t seem to have caused any damage other than to inconvenience millions. It slowed Internet traffic, mainly in Asia, for a few hours and it ruined the weekend for an unknown number of sysadmins who had to lockdown and patch servers that should have been secured months ago.
Yet many mainstream news stories suggested that the Internet itself was paralyzed. “Slammer Worm Cripples Internet” read a Yahoo! News headline. Anyone calm enough to read the story found no evidence of anything remotely close to a “crippling” impact. Buried near the end of the story was an admission that the “Internet recovered quite quickly.” If you listened to the radio or TV news last weekend, you probably heard similar panicky teasers, crafted so that you would be sure to hang on and listen to the rest of the story.
At times like this, it’s worth remembering one of the more famous debates of 1996. Was the Internet going to collapse under the weight of growing traffic? This was not an esoteric discussion. The question was raised loudly and repeatedly by Bob Metcalfe, an engineer who invented the Ethernet protocol. He publicly worried that gateways and switches were being pounded with so many new users that they would stop working. Magazines that covered technology (such things were popular back then), devoted many pages to the discussion. And as users sweated through slow dial-up sessions, they seemed ready to believe the threat was real. Metcalfe was so sure, he even gave a deadline by which the crash would occur. The deadline came and went. No crash. No gridlock.
To Metcalfe’s credit, he eventually owned up to his folly. And he went on to concede what others were saying all along. The Internet’s resilience is not a fluke. The original architects built a system that is self-healing and packed with redundancies. It will bend but it will not break.
That doesn’t mean security can be taken lightly. We don’t know what motivated the Slammer Worm author, but we do know he or she was exploiting a security hold that was widely known. Microsoft issued a fix for the problem in July 2002. Most copies of SQL Server on the Web had been updated and were never at risk. Any SQL 2000 Server that was paralyzed by this attack had been left completely exposed to the public. It was the equivalent of running a bank where the vault combination was scrawled on the men’s room wall.
No one likes to give credit to a criminal but if you’re smart, you’ll try to learn something from the Slammer attack. Attention to security is not optional for anyone doing business on the Internet.
If you run servers, you need to keep them up to date with the latest patches. You need to protect the perimeter with firewalls and keep non-essential ports closed. Desktops also need just as much attention. Your access point needs to be connected by a firewall (both at home and at the office). Your virus checker needs to be up to date.
Of course, there’s more. Large organizations need to have security established as a primary job function. Smaller organizations need to have the responsibility well-defined for those will be sharing the work. And if your IT staff doesn’t have enough time to stay on top of security threats, do expect to experience downtime, to lose customers records or worse. Online security threats are real but the damage can be minimized.
Life, online and offline, has threats. But it is not the Internet that is at risk. It is your own data.
Resources: Here are some places where you can stay informed.
- The President’s Critical Infrastructure Protection Board issued a white paper outlining security threats that has a checklist of threats and how to deal with them.
- eSecurityPlanet publishes a daily newsletter that reports on the latest vulnerabilities and threats.