Symantec President and Chief Operating Officer John Schwarz talked last week with Dan Verton about the recent outbreak of the Slammer worm and offered important advice for companies struggling to find the right mix of security.
Q: What's your assessment of why the Slammer worm succeeded to the extent that it did? The worm was not all that different from other attacks that we've seen in the past. But it did have one interesting feature: It was wholly [a] memory resident. It had no file connections of any type, which made it very difficult for antivirus products to detect. The one fairly effective mechanism against the worm was heuristic or anomaly-based intrusion-detection devices that saw a dramatic increase in activity against port 1434.
But the best defense against this particular worm was the application of the right patch. If people had kept their systems up to date they would have had no problem.
Q: A lot was made about how some key infrastructures, particularly banking, were brought down by Slammer due to their interconnectivity. But didn't we know that about key infrastructures already, and what does this tell you about the future? Every device connected to the network, whether it's behind the firewall or not, needs to be responsible for its own security. Every device, right down to the desktop or mobile device, needs to have security for incoming traffic and content scanning.
Also every device must have, at a minimum, an antivirus, firewall and intrusion-detection capability, and if appropriate, a virtual private network. If companies had this multiple-layered protection at every layer of the network, the worm would not have been a problem.
Q: For a lot of users, the current paradigm of threat, patch, recover isn't working. What can be done to fix what looks like a situation with no way out?I think what we're seeing is that the process of managing and applying patches is far more costly and complicated than companies have the capacity to deal with. So what companies typically do is they selectively pick those patches that are critical and apply those in well-staged sequence. They don't apply every time a new vulnerability is discovered because they can't be running to every computer in the infrastructrure every day. And sometimes you get an attack that happens to be released before you have the opportunity to apply the patch.