Overreaction?
August 18, 2006
An interesting article by Bill Brenner over at TechTarget comments on some of my recent warnings about MS06-040. For those who haven’t seen my Chicken Little-esque statements, the article prints some of them:
Statements from researchers at San Francisco vulnerability management firm nCircle Network Security Inc. were probably the grimmest of all:
“This is no drill. And no, this isn’t an overreaction. We’ve always said that some day there would be another big, serious vulnerability. Well, this is the one,” warned Mike Murray, the company’s director of research.
What never gets printed is the second part of what I always say when I’m suggesting that things have the potential to be really, really bad. In this case, to most reporters I talked to, I also added this caveat: “I really would like to be wrong. But let’s weigh the consequences: if I’m wrong and everyone is a little too prepared, that’s a slight over-spend. If I’m right and nobody listens and nobody prepares, then things are really, really bad”.
This is the same kind of issue that we saw last year in New Orleans – there were many, many predictions that the city was terribly vulnerable. But nobody listened, and everything went really really badly.
What will the future hold for MS06-040? Will there be the malware equivalent of Hurricane Katrina? Or is this a situation where nothing bad happens?
I, for one, hope to be just a little more prepared than I need to be (obviously not too prepared, lest I spend $100 protecting a $10 asset).
This, to me, is the game of risk management – the goal is to spend less than you would end up losing in the long run. In the scenario of MS06-040, there’s a relatively small incremental cost to increasing the speed of most patching processes – a bit of overtime, etc. But there’s a HUGE downside risk to not spending that small amount.
This is ultimately all about money and insurance – will I be wrong in the long run? Maybe. But, given the same vulnerability next month, I’d have made the same statements – the consequences of being wrong are simply too high.
Comments
4 Responses to “Overreaction?”
Bill Brenner over at SearchSecurity wrote a piece on his blog log the other day called Fear and loathing in MS06-040′s wake. In it he rehashed how some security pundits went to defcon level 2 (now there is a good
It seems that there was a bit of reaction to my recent blog entry. Specifically, Alan had a great post about hurricanes in response to what I wrote the other day.
Two things I wanted to respond back to: first, I didn’t mean to suggest that I was “ta
I think that this is an interesting issue.
One of the biggest concerns I have with this (especially being a part of the security industry), is does this promote a “Boy who cried wolf” type malaise from the readers?
Readers of the news are innundated with constant negativity and how the world is going to hell in a handbasket. From terrorism to global warming to pick random event of the day, everything is all about what is wrong.
Eventually, after enough times of “crying wolf” with nothing happening, people will become blase about reading this kind of information. Nothing significant of note happened previously when all hell was supposed to break loose, so why should anyone pay attention to the ramblings of an “expert”? It’s a catch-22 situation. If you don’t say anything and something happens, you would be guilty of not saying anything. At the polar end, you’re guilty of what Mr. Brenner accused you of in his article.
In the end, however, I don’t know if it is an overreaction on his part. The comments in the article are worded very strongly. For someone who doesn’t read these things on a daily basis, it may persuade them to patch themselves quickly. However, for those who have heard these doomsday speeches before, they may tend to ignore it more than they would have otherwise. It is similar to the whole terror alert level. Does anyone really pay that much attention to what it is anymore?? From that, without a worm in Windows XP series since the introduction of service pack 2, is the Chicken Little approach the right way to go?
After all of the discussion that we had about me overreacting, it looks like we just may end up with a worm on MS06-040 after all.