An interesting article by Bill Brenner over at TechTarget comments on some of my recent warnings about MS06-040. For those who haven't seen my Chicken Little-esque statements, the article prints some of them:
Statements from researchers at San Francisco vulnerability management firm nCircle Network Security Inc. were probably the grimmest of all:
"This is no drill. And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability. Well, this is the one," warned Mike Murray, the company's director of research.
What never gets printed is the second part of what I always say when I'm suggesting that things have the potential to be really, really bad. In this case, to most reporters I talked to, I also added this caveat: "I really would like to be wrong. But let's weigh the consequences: if I'm wrong and everyone is a little too prepared, that's a slight over-spend. If I'm right and nobody listens and nobody prepares, then things are really, really bad".
This is the same kind of issue that we saw last year in New Orleans - there were many, many predictions that the city was terribly vulnerable. But nobody listened, and everything went really really badly.
What will the future hold for MS06-040? Will there be the malware equivalent of Hurricane Katrina? Or is this a situation where nothing bad happens?
I, for one, hope to be just a little more prepared than I need to be (obviously not too prepared, lest I spend $100 protecting a $10 asset).
This, to me, is the game of risk management - the goal is to spend less than you would end up losing in the long run. In the scenario of MS06-040, there's a relatively small incremental cost to increasing the speed of most patching processes - a bit of overtime, etc. But there's a HUGE downside risk to not spending that small amount.
This is ultimately all about money and insurance - will I be wrong in the long run? Maybe. But, given the same vulnerability next month, I'd have made the same statements - the consequences of being wrong are simply too high.