Despite a large government alert, press conferences and a massive scramble to install patches across Microsoft systems, the worm was still able to relaunch itself within tens of thousands of additional machines when it reappeared on July 31.
Code Red is not a revolutionary technique in hacking--it's just the most recent and widely publicized security threat to take advantage of a software flaw to damage the Internet infrastructure. Hackers exploit flaws in software every day. This time, the world just had a little more warning and corporate America got a "shove" to install a patch.
Today's security-through-vigilance approach involves four steps: configuring, limiting, monitoring and patching. This is an academic approach: identify the problem, limit the things it can do, watch for it, and then shore up defenses. Simply put, it's a reactionary approach that will always leave you one step behind hackers as you scramble to protect against the latest infection. The lesson this week should be that vigilance alone is not enough.
Downloading the latest fix from software companies--or the "patch and pray" method--is too reactionary and not the end-all solution. It requires enormous time, labor and commitment. And, when all is said and done, it only protects against known threats that have already caused damage. What about the next one? What happens when Code Blue arrives? Or Code Orange?
Code Red has served as a wake-up call to the industry, and organizations need to give their heads a shake. It's time for people to realize that it is possible to live in a world where the damage hackers cause is significantly reduced and most threats are rendered harmless. No longer do organizations have to "just deal with it" and hope for the best. But first, the entire industry has to accept a few facts of life:
There will be more Code Red-like threats.
Software will always have flaws that can be exploited.
Outside hackers and disgruntled insiders will always be looking for ways to cause trouble.
Administrators cannot install every patch on every system.
You cannot monitor "everything" and provide alarms at all corners of the enterprise.
Internet sites are designed to allow people to use your software.
There's a new generation of application security technologies deployed today that lock-down operating systems to dramatically increase protection against Code Red-like worms, even the ones that haven't been written yet. No application or bug can do anything without the operating systems' cooperation, making the operating system the first stop in preventive security.
Locking down a key application like the operating system allows you to control and compartmentalize every action and limit the ability of hackers to exploit a flaw to jump to other systems. But here's the key: When you lock down operating systems from the inside, it does not matter what "bug du jour" attacks you that day. Even if a hacker uses a bug to get in, he or she can't go anywhere or do anything.
Locking down systems with commercial operating systems security enhancements is not a silver bullet. But it is the first one to put into your security pistol. You do need authentication, virtual private networks and sound security procedures and practices.
That said, the industry needs to radically change how it safeguards systems, putting away a reactionary Band-Aid and unleashing the next generation of security technology to prevent injuries before they occur.