“If we’re not all secure, no one is secure.” — Chris Harper, Secure Enterprise Computing

RESEARCH TRIANGLE PARK — Chris Harper, vice president of technical services at RTP-based Secure Enterprise Computing, was not surprised at all by the so-called SQL Slammer attack that rippled through the Internet over the past few days.

“It’s staggering,” he said. “We are still, in 2003, run across companies that have no firewalls. They have done nothing as far as security goes. Absolutely nothing. They never consider it.

“You would think when you are in business and have data to protect that you would be doing something. It’s like walking down the street and finding people leaving their doors open on a regular basis. You could do that in the ’50s. You can’t do that now.”

Why be so naïve — or careless?

“I can’t say why people do certain things,” he said, the mystery evident in his voice. “It’s bad business practice to have ports open on a server in the first place.”

Microsoft a victim, too

The SQL Slammer, so named in part because the worm invaded Microsoft SQL (sequel) servers that had not been patched despite warnings from Microsoft, brought down ATM networks, slowed stock trades – and even pummeled mighty Microsoft. The worm sought out open ports, attacked, and moved on like a relentless robot army. If a server was “open,” Slammer took no prisoners.

“HELP NEEDED: if you have servers that are nonessential, please shut down,” read the emergency e-mail dispatched within Microsoft.

The fact Microsoft was caught not obeying its own warnings reflects the casual attitude too many people take toward network security, Harper said. Worse, he said companies have no reason to expose servers to the Net without firewall protection or running a virtual private network (VPN).

“The problem is the mindset that it’s OK to expose a private machine and data to the public,” he said. “What this attack tells me is that we are still in a state of reaction. We take reactionary measures. We’re still in a reactive mode rather than a proactive mode.

“If a company is proactive, it will say that if there is a SQL server that needs to have outside communication then what are the options to keep it secure? They can pick a virtual private network or a private network.

“You really shouldn’t be in a situation where an SQL server is exposed to the Internet,” Harper added. “Exposing an SQL server should not be something that is even considered. However, I personally have seen organizations do that.

“Personally, it frustrates me. You go in to talk to them and they say we have to do blah, blah, blah. Others say, ‘What’s the threat? If someone gets the data, we’ve got backup. Blah, blah, blah.”

Short-cutting own security

Too many times Harper said systems administrators take shortcuts around firewalls or even VPNs simply for ease of operation.

“We’ve run across organizations that let some manufacturer or a partner run a client on a portion of an application and they expose the SQL box to the world because they don’t want to go to the trouble of setting up a VPN or dealing with (security) support issues.”

Other systems administrators are either short-handed — or short on knowledge.

“Sometimes mistakes are made out of ignorance, sometimes out of budgetary issues, and sometimes it’s not understanding the security ramifications,” he explained. Whatever the reason, if one “hole” is left, “The server’s open to everyone — and there you go.”

Since the SQL Slammer was a self-replicating worm, it wasn’t destructive as a virus, which, for example, can propagate and devour everything on hard drives. The “denial of service” attack simply clogged servers and networks with worthless traffic, and a simple reboot could stop the problem, he said.

But Harper said attacks are evolving and no one should assume a worm is relatively harmless.

“There are a lot of viruses these days that are like worms, and worms that are like viruses,” Harper said.

Open invitation to cyberterrorism

Everyone and every business shares responsibility in dealing with security, he added.

“I heard a speaker from the FBI talking about security. He said that until everyone is secure, no one is secure,” Harper said. “We will not be secure until everyone takes security more seriously.”

Holes in networks and servers provide weak points through which hackers and cyberterrorists can attack, he added.

“Until people realize there is more to think about than just getting an SQL server running and providing functionality while not getting security to work properly, we have a problem,” Harper said. “Security is a concern that should weigh as heavily on companies as functionality and usability. Security has to be taken seriously.

“If not, this is the kind of attitude that allows cyberterrorism to exist and to affect the whole country.”

Rick Smith is managing editor of Local Tech Wire.