The bugs stop here

CIO - This past winter, a worm known as Slammer rattled the Internet violently enough to become what you might call a "CNN-level virus" -- that is, it burrowed its way into the national consciousness.
Nearly everything about the SQL Slammer was old. It was an old hack that exploited a year-old vulnerability found in an old target, Microsoft Corp. software. There was a patch to block Slammer that was six months old, and that patch suffered from an old patch problem: It was so kludgy to install that the patch needed a patch. Above all, the reaction to Slammer -- the call to use the event to build security awareness -- was so old it called Bob Hope "kid."
But this much was new: Everyone agreed that Slammer was your fault.

How to save $60 billion
The old game was to blame Microsoft. "Microsoft did not protect its customers," read a letter to The New York Times after the Melissa virus hit in 1999. A year later, after the I Love You virus infected Microsoft Outlook, a Washington Post editorial stated, "This is a software development problem." The Nimda worm (2001), according to Forrester Research Inc., required 625 combinations of patches applied to Microsoft's Internet Information Server. Nimda, along with its contemporary, the Code Red virus, eventually compelled Microsoft to implement and market Trustworthy Computing, an initiative aimed at helping Microsoft developers learn how to write secure code.
Slammer, though, hasn't followed the old pattern. A developing consensual wisdom suggests that as woeful as Microsoft's products may be, CIOs have been equally sloppy. A February poll of more than 200 IT professionals, by antivirus company Sophos, showed that 64% of respondents blamed their peers' lax security practices for Slammer. Only 24% blamed Microsoft.
The poll also revealed that only 43% of the respondents said they subscribed to Microsoft's vulnerability mailing list, which provides early alerts of viruses in the wild. Twelve percent said they relied on "mainstream news" -- newspapers and TV -- to learn about new viruses. Three percent said they "don't really hear about them at all." And 19% said they patched software when they "got around to it."
"I've got to look around at my comrades and ask, Why aren't you patching your systems?" says Bob Ferderer, vice president of IT internal operations and security at CUNA Mutual Group, the nation's largest financial service provider for credit unions, with 5,000 employees and $9.3 billion in assets. "There's a relationship between individuals not taking action and how these things

Reprinted with permission from

This story is reprinted from CIO.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2009. All rights reserved.