Comments on: Risk, Group Think and the Conficker Worm http://securityblog.verizonbusiness.com/2009/03/26/risk-group-think-and-the-conficker-worm/ Risk Intelligence from Verizon Business Security Solutions powered by Cybertrust Fri, 30 Oct 2009 23:27:39 +0000 http://wordpress.org/?v= hourly 1 By: Dave Kennedy http://securityblog.verizonbusiness.com/2009/03/26/risk-group-think-and-the-conficker-worm/comment-page-1/#comment-263 Dave Kennedy Tue, 07 Apr 2009 15:53:13 +0000 http://securityblog.verizonbusiness.com/?p=175#comment-263 JM, I invite your attention to the "About the Blog" link above. I want to thank you for your insightful comment, but I am not inclined to agree with you completely. "Billso" and "caffeine head" are both correct and accusing them of spreading FUD is going too far. The same "group think" I cautioned about in the main entry is now leading too many security professionals to join the parade of pointing fingers at everything about Conficker declaring "FUD!" You are absolutely right that consistent accuracy and precision builds trust and causing panic damages trust. This blog is a platform to highlight information risk. The whole Conficker issue has certainly influenced information risk in both positive and negative ways. "Billso" is right, there is little doubt significant events in the malicious code space spur users to practice better information security habits. They renew their AV subscriptions or install new AV. The word "firewall" re-enters their vocabulary. They examine their habits for risks. Business leaders turn to their technology staff with "we're covered about this Conficker thing right?" queries. These represent opportunities for IT and InfoSec staff to engage their leaders about not only Conficker but other issues they face. If nothing else, it's an opportunity for the IT and IS staffs to develop relationships across the business. From this perspective, an unintended consequence of Conficker is it has helped us reduce total risk. This is the primary reason crimeware authors have striven to "run under the radar" since the days of Sasser, Slammer and Code Red. They don't want headlines to encourage users to safer habits. They do want to cultivate "what, me worry?" attitudes. In the past couple of months, their goals in this vein have been thwarted. "Caffeine head" is also correct that Conficker has spared many from hardship for the same reason; they clean up their safe computing habits. I suspect "JM" is of the opinion that because Conficker didn't "detonate" on April 1st, "caffeine head" was overreaching, but I'm reticent to make the same accusation. Every user who's updated AV, or has been reluctance to click on "you need to upgrade flash to view this video," has been spared hardship; especially those un-related to Conficker, courteous of other crimeware. Conficker is a risk problem. Part of the problem is what we don't know, and not knowing is causing us to spend time trying to understand it, time we could be devoting to other risk management activities. Part of the problem is the magnitude of infected systems. Our colleagues at IBM have recently blogged about their measurements of the size of the Conficker infected population at http://blogs.iss.net/archive/CountingConfickers.html Conficker has helped us engage users and business leaders to build the trust I think JM wants us to build. The conversations we have, like this one, when we can set others straight on what aspects of the issue are hype and what issues really do represent risk; these conversations cultivate relationships and trust. JM, I invite your attention to the “About the Blog” link above. I want to thank you for your insightful comment, but I am not inclined to agree with you completely. “Billso” and “caffeine head” are both correct and accusing them of spreading FUD is going too far. The same “group think” I cautioned about in the main entry is now leading too many security professionals to join the parade of pointing fingers at everything about Conficker declaring “FUD!” You are absolutely right that consistent accuracy and precision builds trust and causing panic damages trust.

This blog is a platform to highlight information risk. The whole Conficker issue has certainly influenced information risk in both positive and negative ways.

“Billso” is right, there is little doubt significant events in the malicious code space spur users to practice better information security habits. They renew their AV subscriptions or install new AV. The word “firewall” re-enters their vocabulary. They examine their habits for risks.

Business leaders turn to their technology staff with “we’re covered about this Conficker thing right?” queries. These represent opportunities for IT and InfoSec staff to engage their leaders about not only Conficker but other issues they face. If nothing else, it’s an opportunity for the IT and IS staffs to develop relationships across the business. From this perspective, an unintended consequence of Conficker is it has helped us reduce total risk.

This is the primary reason crimeware authors have striven to “run under the radar” since the days of Sasser, Slammer and Code Red. They don’t want headlines to encourage users to safer habits. They do want to cultivate “what, me worry?” attitudes. In the past couple of months, their goals in this vein have been thwarted.

“Caffeine head” is also correct that Conficker has spared many from hardship for the same reason; they clean up their safe computing habits. I suspect “JM” is of the opinion that because Conficker didn’t “detonate” on April 1st, “caffeine head” was overreaching, but I’m reticent to make the same accusation. Every user who’s updated AV, or has been reluctance to click on “you need to upgrade flash to view this video,” has been spared hardship; especially those un-related to Conficker, courteous of other crimeware.

Conficker is a risk problem. Part of the problem is what we don’t know, and not knowing is causing us to spend time trying to understand it, time we could be devoting to other risk management activities. Part of the problem is the magnitude of infected systems. Our colleagues at IBM have recently blogged about their measurements of the size of the Conficker infected population at http://blogs.iss.net/archive/CountingConfickers.html

Conficker has helped us engage users and business leaders to build the trust I think JM wants us to build. The conversations we have, like this one, when we can set others straight on what aspects of the issue are hype and what issues really do represent risk; these conversations cultivate relationships and trust.

]]> By: JM http://securityblog.verizonbusiness.com/2009/03/26/risk-group-think-and-the-conficker-worm/comment-page-1/#comment-259 JM Mon, 06 Apr 2009 22:41:22 +0000 http://securityblog.verizonbusiness.com/?p=175#comment-259 These two comments represent the problematic way so many in the infosec world justify their existence, and which this blog routinely avoids. Spreading unjustified fear ("Crying Wolf") is not somehow justified because 'you're sure' it helped 'a lot' of people or because it somehow magically caused more people to scan their machines. Only accurate and consistent reporting builds the trust needed to establish security. Justifying panic because of unintended consequences is neither a good security practice nor a good business practice. These two comments represent the problematic way so many in the infosec world justify their existence, and which this blog routinely avoids. Spreading unjustified fear (”Crying Wolf”) is not somehow justified because ‘you’re sure’ it helped ‘a lot’ of people or because it somehow magically caused more people to scan their machines. Only accurate and consistent reporting builds the trust needed to establish security. Justifying panic because of unintended consequences is neither a good security practice nor a good business practice.

]]> By: caffeine head http://securityblog.verizonbusiness.com/2009/03/26/risk-group-think-and-the-conficker-worm/comment-page-1/#comment-250 caffeine head Wed, 01 Apr 2009 04:40:53 +0000 http://securityblog.verizonbusiness.com/?p=175#comment-250 It's great that there was advance warning for the Conficker worm; i'm sure a lot of people were spared a lot of hardship because of this It’s great that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this

]]> By: billso http://securityblog.verizonbusiness.com/2009/03/26/risk-group-think-and-the-conficker-worm/comment-page-1/#comment-248 billso Tue, 31 Mar 2009 23:07:06 +0000 http://securityblog.verizonbusiness.com/?p=175#comment-248 If nothing else, the media's interest in Conficker has propmted more users and admins to scan and clean their WIndows PCs! If nothing else, the media’s interest in Conficker has propmted more users and admins to scan and clean their WIndows PCs!

]]>