• Contacts
  • Contact Details
  • Contact Us
  • Home
• Mobile Computing
  • Lap-Top Security
  • PDA Security
  • Enterprise Mobile Solutions
  • Mobile Solutions for Public Sector
• Solutions for email
  • Email Archiving
  • Email Archiving Seminar Program
  • E-mail Firewalls Anti-SPAM
  • Anti-Virus
• The NHS
  • Agenda For Change
  • A4C Seminar Program
• Security Solutions
  • Remote Access SSL VPN
  • Password & Identity Management
  • Internet Firewall
  • Secure DNS Server
  • Document Collaboration
  • Web Content Management
  • E-commerce
  • Alumni Membership
  • Network File Encryption
  • USB Memory Drives
  • Smart Cards & Single Signon
  • Aladdin eToken
  • URL Web Filter
  • Fault Tolerant IP
  • SSL Acceleration
  • Tape Backup
  • Network Storage
  • Wireless Networking
  • Domain Names
• Resources
  • Library
  • Product Data Sheets
  • Customer Projects
  • Articles & Links
  • Credit Card Systems
  • Nominet T&C's
  • Accessibility
• Site
  • Home
  • News
  • Events
  • Contact Details
  • Contact Us

SQL Slammer Worm

At least author Bernadette Hearne, Editor, e-business Chemicals Newsletter in her article doesn't make the mistake of just blaming the IT departments for the stupidity so amply demonstrated over the past few days as many commentators have. However pointing fingers at the board and CEO's and saying "you're just as responsible get tough!" is a gross over-simplification.

Without exception the reactions from all commentators, specialists and vendors at large has been to point to the 'patch' as the culprit. And blaming the villains as,

• Microsoft for needing it in the first place
• Microsoft again for not making sure everyone installed it
• Network & Systems management for being too stupid or lazy to install it
• The CEO for not providing enough resources or investment so they can keep on top of it

Now while all of these are real and need addressing, but there is a bigger issue at stake. We need a more grown up attitude that takes a strategic view of IT and the Internet.

The Business Case

To put the issue in context lets look at some analogies

A company makes ethylene, it needs naphtha as its basic raw material as well a copious amounts of energy. Does it rely upon a single oil feed? or one electricity cable? Or does it have backup generators, multiple feed pipes and complex and well thought out emergency procedures for use when something goes wrong?

A call center specializing in the travel industry takes calls for ticket bookings from all around the world, relies upon telephony to take and make calls and email to send confirmations and network links to the 3rd parties it takes calls for or links to the banks for credit card clearing. Does it rely upon one telecom provider, and one internet link? Well it seems they invariably do.

Do the operators of the cracking plant do away with the intrinsic safety rules, skip annual safety checks or inspections, let people take mobile phones on site just that once because of some personal emergency? Saying "well we haven't had a fire so far so is it worth the expense or inconvenience?"

Just how many corporate IT departments buy cheap; skip inspections (penetration tests) or security audits, have no configuration control or change management; have single servers hosting critical services, single telecomms providers, one internet connection? Let users keep passwords for ever, have simple password authentication for systems hosting corporate data?

The point I'm trying to make is simple in mature industries there is a well developed sense of risk and risk management the consequences of failure are well understood. In the petrochemical industry the risks are real and consequences are not just measured in terms of dollars but in terms of lives lost.

By now you would have thought that the IT industry was mature enough to have developed a similar understanding and put into practice systems and procedures backed by legislation to protect infrastructure and personnel.

Even if the IT professionals can't see this at least those to whom they serve, financial institutions; industry; health care; government departments etc could have recognised the critical nature of IT in our society and demanded that the same kind of approach should be taken.

Except in very few cases, IT is not recognised as a piece of critical infrastructure by anyone in the decision-making position and therefore worthy of the attention it deserves.

Too often we hear from those in charge of investment that IT is too complicated and they naturally avoid making decisions on stuff they don't understand. True IT is complex but then so is biotechnology the chemical industry nuclear power etc and yet we have the proper controls on legislation in place to ensure public safety and continuity of supply.

Similarly of the local level we see management viewing the IT as a pure cost to the business to such an extent that it becomes culturally ingrained in the organisation. I guess they've only themselves to blame, we all know of incidents where money has been invested in IT for technology's sake, where budgets and budget controls have overrun and the software has not delivered what was promised.

IT sees it as their role to manage their systems and cut costs rather than being a strategic tool to win, retain and deliver business advantage. IT managers and the technical amongst us will alwas find it difficult to put a business case together that would show a return on investment for the company's mainline business.

But TCO is not just a marketing buzzword it is a reality and just like any investment decision return on capital and cost-effectiveness measures need to be made. That however will take both the management and the technologists to participate together to make a real business decisions.

more. technically speaking...>