By now, you should have heard about the Spida (aka Digispid.B) worm, which attacks Microsoft SQL Server. The main difference between this worm and some others (e.g., the Klez virus/worm) is that it's easily avoidable—simple common sense and a little training are all you need to ward off the Spida worm.
Spida looks for SQL Server machines with blank systems administrator (sa) account passwords. After the worm finds a vulnerable server, it uses a special SQL Server function (xp_cmdshell) to run programs in a command shell under the MSSQLServer service's security context. Because that context is by default the local System account, the worm gains full control over the entire system. Before you blame Microsoft for overlooking yet another security hole in one of its products, let me mention that for the 7 years that I've taught Microsoft Official Curriculum (MOC) courses that cover SQL Server administration, those course have addressed securing the sa account and the xp_cmdshell function. In addition, entry-level security classes almost always urge students to use firewalls to block all but the few ports that must remain open to the Internet. These classes also stress that a database server with private company information should never be directly accessible from the Internet.
We can safely assume that anyone who has had even a little training should know better than to leave the sa password blank on a server that's exposed to the Internet; therefore, the most likely reason that this worm exists is because people are administering servers without even a basic understanding of how to keep them safe. This worm exposes the true cost of improperly or insufficiently trained employees.
The cost of training is small when you compare it with the cost of an improperly administered and protected server. In the past few weeks, quite a few companies have become aware of just how much damage a compromised database server can cause. In addition to the loss of data, you must consider the loss of productivity during the downtime and the cost of paying someone to get you back up and running. Furthermore, this kind of worm leaves lingering questions about the capabilities of the administrators—if they didn't know enough to password-protect an administrator account, do they know enough to keep a critical server running smoothly?
This situation also reveals the fallacy of becoming certified for the sake of being certified. Learning enough to pass a few exams doesn't necessarily prepare the paper MCSEs and Microsoft Certified DBAa (MCDBAs) for real-world challenges. Mistakes affect not only administrators' careers but also the fortunes of the company's employees and customers. Therefore, the purpose of training should be to understand how to do things properly, not to make it easier to earn a piece of paper.
Most of the time, I wish intruders would just get married, have kids, and buy houses so that they wouldn't have the time to cause headaches for the rest of us. In this case, though, I applaud the malicious effort that has brought to light a security vulnerability that should never be left unattended. Perhaps now we can hope that companies will think twice before deciding to improve the bottom line by cutting the training budget.
