My friend and colleague Jim Reavis recently sent me the latest issue of his "CSOinformer" security newsletter, and I was so taken by his comments on the recent Slammer incident that I asked him for permission to republish them here. He has very kindly allowed me to print the following essay (lightly edited) from his excellent publication.

"I" refers to Jim, so please direct your praise (or abuse) to him at mailto:jim@reavis.org with a copy to me mailto:mkabay@norwich.edu when responding to any controversial bits below.

* * *

The Slammer (or Sapphire) worm has come and is mostly gone. This worm halted the Internet in many parts of the world and stopped many critical business functions within corporations. How do I grade the players in this latest saga? Let's take a look:

* Microsoft: B-. Seriously, how much blame can we ascribe to Redmond when they released a security advisory six months before the attack, complete with a patch for the affected SQL Servers? They cannot get an "A" because they released the insecure product in the first place; they get the minus for having a lot of security advisories to wade through and for making the process for patching computers so painful, as I'll discuss at the end of this column.

* Information security industry: D. If there is going to be an information security industry in the long run, these are the moments in which it needs to shine. Vulnerability assessment companies can claim they warned you, but they didn't do too much to help you. Many companies claimed that they could help - the next time Slammer attacked. There were some very good examples of smaller companies who trapped Slammer with anomaly detection technology or prevented it with patch management. But the big guys - the security companies most of us have standardized on - seemed to have very few answers.

* Systems administrators: F. We all need to take personal responsibility for the security of our networks. The underlying vulnerability for Slammer was announced on July 24, 2002, by Microsoft bulletin MS02-039 and given the maximum severity rating. History tells us that nearly all wide-scale attacks are based upon known vulnerabilities. Microsoft released 72 security bulletins in 2002, not a tiny number, but not exactly the population of Hong Kong either. A systems administrator reading MS02-039 should have seen the hallmarks of a potential problem: specifically, the vulnerability could be automatically exploited without any local interaction. However, most chose not to apply the patch.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.