The recent discovery of Morto, the RDP password-guessing worm, provides a great opportunity to revisit the importance of fine-tuning your organization's defensive strategies. Morto, after all, doesn't simply exploit an unpatched software vulnerability; it employs multivector attacks, tricking users into downloading it, then using authentication guessing to break into accounts. IT admins need to be prepared to identify and defend against these sorts of multipronged threats.
For example, readers who've focused on Morto's interesting RDP usage and password guessing might be missing the bigger lessons. The worm is getting around because users are being tricked (yet again) into running something they shouldn't. That certainly exemplifies the need to improve user education at your own company -- and opens a host of other questions about your security.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
My challenge to all admins is to look beyond the acute problem (in this case, computers exploited by Morto) and look at the strategic reasons why computers under your control became infected. When you find causative agents, are you responding most effectively? If you don't address the specific threat with a specific, best defense, you can't expect improvement.
For example, what if your network became infected, not by one of your own users but via a third party's connected network? Further, are your firewall rules set correctly, or do you allow RDP connections from any computer to any computer, even if it is unneeded? Are admin-level accounts left with their default logon names? Are there poorly protected passwords? Are users with admin-equivalent rights opening Internet links? Morto writes to system-protected areas and would not succeed if the infected user was not running an elevated account at the same time as they opened the link.