As usual, finger-pointing about what is beginning to be seen as Conficker FUD is increasing. Understandably, the media is taking the brunt. Understandably, but not necessarily appropriate.
So let’s review. The Conficker threat surfaced and media outlets did what they are supposed to do; they spread the word, supported by comments from security ‘experts.’ I for one want as much noise as possible when a new threat emerges. The noise means I won’t somehow come late to the fray. It also means senior management will be educated on the problem while I assess business risk. So, what’s the problem?
Is it that many media pundits are not tech-savvy, and security experts compound the problem with unreasonable claims?
“It’s really complicated and media outlets have a hard time understanding it,” said Rick Wesson, chief executive of security company Support Intelligence, Wednesday. He earlier called Conficker a “digital Pearl Harbor.”
He has a point of course. Sensational stories sell. But every sensational Conficker story we’ve seen also quotes a few security experts making sensational claims.
Source: Conficker Scare: It’s the Media’s Fault, Ben Worthen, Digits (WSJ Blog), 1 April 2009
I don’t think so. Regardless of whether a sky-is-falling situation exists, managers responsible for organizational security should know whether their controls are sufficient to repel a Conficker onslaught. At most, a short assessment of its attack vectors and appropriate controls along those vectors should be enough to identify gaps and steps to fill those gaps. Ideally, scenario planning activities have already identified related issues and they have been remediated.
As far as home users are concerned, most of them need an occasional kick-in-the-pants to ensure their systems are secure. If it takes an occasional call to battle-stations, then so be it—even if the bogey turns out to be a harmless albatross.
Finally, we don’t know for a fact that Conficker is harmless. It might simply be resting before its first real run at a target. As Worthen writes in his blog,
Conficker disclaimer: Just because the world didn’t end doesn’t mean that Conficker isn’t bad, and won’t do bad things in the future. Similarly, there are many other computer viruses out there that are currently doing bad things like stealing information.
So the problem was not with how Conficker was reported. Rather the problem was with those responsible for maintaining secure systems not understanding whether they were at risk or not.
It shouldn’t take a media frenzy to make people take a hard look at the state of their systems. It should be an ongoing process, resulting in a strategy which provides reasonable and appropriate protection regardless of the latest emerging threat.