Computerworld - Two recent unrelated news stories struck me as indicative of a fundamental problem with IT security: We seem to favor looking at symptoms over finding the root cause of problems.
The first story was nearly comical for the effort that was expended to pin blame. Back in December, the Conficker virus infected 3,000 computers on the network of the Waikato District Health Board, which encompasses all of the hospitals in a district that accounts for 10% of New Zealand's population. Officials claimed that emergency operations were not affected, but the district hospitals requested that only true emergencies be referred to them. Certainly, it is critical that steps be taken to assure that nothing like this ever happens again.
I just don't agree that an effective response would include a three-month investigation into the incident. The report came in this month, and, believe it or not, they say they found the source of the infection. According to the report, someone plugged an infected USB drive into a computer in a parking garage tollbooth, bringing multiple hospitals to a near standstill for three days.
Very impressive forensics (although of course I am very skeptical). But isn't the real question how the network could have been infected in the first place? Well, this was in a medical environment, and epidemiologists are very interested in vectors of contamination and determining the identity of Patient Zero. But let's use a medical analogy to this situation to assess the merits of the response. Say that a hospital system had to shut down because all of its doctors and nurses came down with H1N1 flu. An epidemiologist will want to know the source of the infection, but the glaringly obvious question would be, Why wasn't the entire staff inoculated against the H1N1 virus?
Which is why I ask, Why was the Waikato DHB network vulnerable to Conficker? A computer that has been patched just about any time within the past year would not have been vulnerable to Conficker. And just about any up-to-date antivirus software would have safeguarded the network against the virus. These are two fundamental computing principles that the system failed on.
Now that the Waikato DHB has fingered the culprit, what will be its next move? Caution everyone who uses the network not to attach USB sticks to devices on the network? Fire the parking garage attendant as an example for everyone? Either action would be beside the point. To return to the H1N1 analogy for a moment, firing the parking garage attendant would be akin to firing a janitor who had been negligent about washing his hands and was determined to be the source of the flu infection. Wouldn't the truly culpable person be the hospital administrator who failed to assure that the entire staff had been inoculated?
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
