Rob O’Neil published a great article last week in Computerworld entitled ‘Anatomy of a Conficker Outbreak: Waikato District Health Board”
The Conficker outbreak actually happened right at the end of last year and we tweeted it at the time, but its only now that full facts behind the outbreak are public.
The story is a another classic case of an organisation only being as secure as the least secure point in the network. The report cited faulty software, aging systems, complexity and a lack of full network control as contributing factors. The outbreak caused some areas of the DHB to be shut down for two days. And the system responsible for the outbreak (the parking system) is still quarantined from the main network.
To a large extent, the report highlights the human weakness in the security chain, with management being criticised for giving insufficient priority to the work required to provide a more stable and secure IT environment.
The key contributing factors to the severity of the outbreak were deemed to be:
- Large number of machines connected to the network but not supported by the IT team.
- Weak password settings
- Extensive use of USB keys across the organisation
- Poor enforcement of security policies
- Poor IT security practices (particularly citing software patching)
The report suggests that the virus entered Waikato District Health Board’s almost certainly from a USB stick loaded onto a Wilson Parking workstation connected to the DHB’s network. The workstation had no anti-virus software installed and was not fully patched. The virus then entered Waikato DHB’s network by exploiting a server operating system vulnerability on a number of servers in the health board’s datacentre, by-passing CA eTrust anti virus software that was unable to capture and disable the virus.
So the conclusions are pretty straightforward:
- You can just rely on anti-virus software – its only as good as the vendors latest update
- Monitoring and securing at the perimeter won’t spot threats propogating from the inside out
- Security training for staff is hugely worthwhile as, by and large, staff don’t know when they are exposing organisations to risk
- Trying to make savings on IT infrastructure (and security infrastructure in particular ) is a false economy in the long run
And obviously, all organisations should run a centralised IDS to identify and deal to such infections in real time. But that goes without saying 
Tags: Conficker