Vendors deserve some credit for conficker response

I planned to make this a column about how the security vendors and PR flaks blew things way out of proportion with Conficker. I was ready to take them to task for predicting an Internet meltdown at the hands of what is no doubt the most prolific piece of malware we've seen in some time.

Instead, I feel the need to give them a little credit for showing more restraint than they've shown in the past.

Make no mistake about it: There was plenty of vendor-generated FUD circulating on this one, and my e-mail inbox was flooded with gems that included a pitch on how one vendor will show how easily Conficker can take down a virtual network at the upcoming RSA security conference.

"The virtualized data center presents an especially fertile habitat for Conficker because of the lack of visibility and control present within the virtualized environment," the e-mail pitch warned. "Communication between VMs on an ESX server doesn't touch the physical network, making it invisible to traditional network monitoring tools and unprotected by physical network security devices. As a result, it is easy for worms like Conficker to spread quickly in this environment."

Oh yeah, and don't forget to buy said vendor's virtual firewall. It's the first firewall of its kind, after all.

Another PR e-mail noted that while its vendor client has seen very limited activity to date with Conficker, "Conficker should still be considered a serious threat [because] millions of machines are infected and the capability is definitely there for attackers to use the network for nefarious purposes."

But I also found an abundance of vendors who went out of their way to talk everyone off the FUD ledge. When one British tabloid wrote that "Millions of computers around the world could go into meltdown April 1 because of a deadly virus," Sophos Senior Technology Consultant Graham Cluley responded in his blog that it's easy to see why, with headlines like this, people are in such a panic.

"It's just as likely that Conficker will receive instructions to do something on March 28th, or April 2nd, or April 14th as it will on April 1st. The emphasis by some media outlets on April 1st is really unfortunate," he wrote.

Luis Corron, a director at Panda Security, sought to cool heads in a blog post entitled "Don't get taken in by the Conficker Panic." He noted that the bad guys aren't going to melt the Internet because they need the infrastructure up and running to engage in their money-making exploits.

Far more useful in this whole affair were the sites that simply offered users ways to detect and remove Conficker infections from their computers.

The SANS Internet Storm Center, for example, set up a Web page steering users toward detection and clean-up resources. Kaspersky Lab's new ThreatPost site also aggregated useful, cool-headed bits of information.

The bottom line is the same as always: Organizations have little to worry about from threats like these as long as they practice defense-in-depth -- deploying a layered program of security technologies and policies that include such basics as firewalls, antivirus and patch management procedures.

If you're organization isn't already doing things, the risk of getting hit with a five-year-old worm like Sasser is as great as getting infected with Conficker.