When all was said and done, did Mydoom spell doom for your company? Did the fast-spreading, widely publicized virus bring your enterprise down in a tangle of clogged e-mail systems and overwhelmed servers during the past few weeks?
Chances are it didn't do any such thing. Though you would certainly be excused for thinking Armageddon was at hand, given the hyped-up, sky-is-falling public warnings from a handful of the antivirus and security vendors.
Mydoom was spun up in the press as everything from the harbinger of "doom to corporate in-boxes" to the "most virulent virus in history".
One advisory from Sybari Software called it "a huge problem for organizations," without any evidence to back that up. Central Command initially warned its customers about serious e-mail congestion at companies "bombarded" with infected messages, but it later downgraded the whole event to a "nuisance." McAfee rated the virus a "high outbreak" threat to business, although the estimated 500,000 infected systems turned out to be mostly home users and small businesses.
No question, there were tens of thousands of individuals seriously inconvenienced by this latest virus to target the ever-vulnerable Windows operating system. They were no doubt kicking themselves after clicking on the e-mail attachment that launched it. But the only high-profile business victim was The SCO Group's Web site, which was temporarily shut down on Super Bowl Sunday by a denial-of-service attack connected to Mydoom. A subsequent attack on the Microsoft Web site was successfully flicked away.
This so-called overwhelming threat fizzled out at e-mail gateways, thanks to IT and security managers who have shored up company defenses with well-known security practices such as screening out e-mail attachments, continually updating antivirus software and monitoring internal networks for unusual traffic patterns. "We were surprised by how little it affected us," as one telecommunications service manager put it.
Wondering if it was just my imagination that the Mydoom outbreak had been wildly overplayed, I called security expert Bruce Schneier, CTO at Counterpane Internet Security and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. He agreed that the threat level of this virus was overblown. But in his colleagues' defense, he pointed out that security companies often agonize over how much alarm to raise when these outbreaks first occur. In the frantic guessing game in the early hours of a virus's appearance, some prefer to hype rather than understate the dangers.
Not so coincidentally, the hype sells more product. What better time to hawk your software than when every media outlet is shrieking warnings about the need for it?
As Schneier and many other experts have pointed out, the only real solution lies in Microsoft virus-proofing its own software, which it's obviously unable to do. In the meantime, IT needs to be able to rely on credible information from the front lines of these virus outbreaks. Security vendors that keep issuing these Chicken Little virus warnings will ultimately lose their credibility with customers, plus their reputations as reliable sources with the media.
Remember how the Chicken Little fable ended? Ask the fox.