Complacent network administrators are partly to blame for the success of this week's bot worms attacks on Windows 2000 machines, a Gartner analyst said Friday.
"I'd have to blame the software developer first of all," said John Pescatore, a Gartner research director. "What's the point of pointing blame at hackers, who are, after all, criminals? There will always be criminals. None of these attacks would have been successful if the vulnerabilities had been caught during development."
But next on Pescatore's list is a complacent "it won't happen" attitude among system administrators, a slow patch process, and a resulting window of opportunity for hackers.
"Since we haven't had a major worm since last year's Sasser, enterprises have slacked off," Pescatore argued. "'Nothing bad this month, nothing here,' they've been saying as Microsoft rolled out monthly patches.
"It's like someone saying, 'it's not rained in two months, so I'll hold off fixing the roof.'"
Such complacency has struck before. In 2002, the year after the destructive Nimda and Code Red worms, there wasn't a single major outbreak. "People started to relax then, too, and when 2003 hit with Slammer, they weren't ready," said Pescatore. During the last round of big-time attacks -- the 18 months running from early 2003 with SQL Slammer to late spring 2004's Sasser -- companies pulled out the stops to secure their networks, said Pescatore. "They authorized overtime to push patches out as quickly as possible, got critical patches down to just two business days, and all patches down to five days."
But then patching got lax again.
"You can't relax," said Pescatore. "You have to pay attention to vulnerability management, and patch as quickly as you can."
Joe Wilcox, an analyst with JupiterResearch, wasn't as quick to blame administrators. "Deployment of patches can take time, but unfortunately, that time may not be available," he said. "Businesses aren't consumers, who can just automatically have Windows install patches. Businesses have to take time testing the patch for compatibility. Patching is a big chore. What's needed are better [patch management] tools.
"I'd blame the criminals, the hackers, definitely," said Wilcox.
Microsoft, he added, is in a damned-if-they-do, damned-if-they-don’t position.
"A lot of viruses appear after Microsoft releases information," he said. "That alerts hackers to an opportunity. But to keep the vulnerability secret, that's not in the best interests of customers, either. Microsoft's doing the right thing by releasing the information, but only when a patch is available."
On Thursday, U.K.-based security firm Sophos released the results of a poll in which 35 percent of the 1,000 respondents blamed Microsoft for the Zotob troubles, 45 percent pointed fingers at the hackers, but only 20 percent said that the successful attacks were due to slow patching by administrators.