Lessons from Nimda

This week-end I was reminising about Nimda. Nimda caught us with our pants down. Now the root cause was a combination:

• Ineffective patching strategy.
• Poor signature distribution.
• Bad builds, (builds need to be stripped and shipped in a minimalist form.)
• Laissez-faire network shares.
• Weak web security (lack of armouring.)

Nimda was a wake-up call as it exploited all of these and rolled them up into a major incident tsunami. A major incident tsunami is when multiple causes roll themselves into a single small time frame where these is a single large incident or an accumulation of an exceesive number of small incidents occurring in a small time scale.

Many companies have learnt lessons from Code Red, Nimda and other variants. They are alert and a large amount of awareness to the threat exists in the population. However, focussing on just the virus and worm component is likely to cause a reoccurrence of Nimda but in another form. The threat I am referring to is malicious programs and phishing. The web filtering that most companies implement is ineffective and these short-coming will result in another major incident tsunami.

The traditional anti-virus agent needs to be suplemented by security enhancements to email, Google Desktop, Google search and DNS. Most of these enhancements are available as sevices from companies like OpenDNS, Mimecast and Google.