Unless you've been on an island with no phones or Internet access for the past week, you've heard about the W32/SQL Slammer worm, which broke out early Saturday morning and slowed the Internet to a crawl for several hours. If you were fortunate, you had already patched any Microsoft SQL Server 2000 machines you're responsible for.
Many of the discussions I've seen about this outbreak have centered on who's at fault. Of course, many entities share some of the responsibility, but the finger pointing continues. Here are some of the accusations I've heard:
- It's the administrator's fault—One of the most common arguments for the impact of SQL Slammer is that SQL administrators failed to do their jobs properly and patch their systems. After all, Microsoft released a patch last summer to address the vulnerability that SQL Slammer exploited.
- It's Microsoft's fault—Another common argument is that Microsoft is at fault for releasing shoddy products that require constant patches. Microsoft security bulletins are often difficult to decipher, and the company isn't consistent in how it chooses to disseminate such information.
- It's my company's fault—Companies are stretching IT resources more thinly than ever before, expecting IT people to become jacks of all trades. Staying on top of everything is difficult when you're managing dozens of servers running Windows 2000, SQL Server, Microsoft Exchange Server, Microsoft IIS, and other applications and services. Companies can't reasonably expect to remain immune to attacks when they make it so hard for IT departments to do a good job.
Each of these arguments holds a bit of truth, but none by itself paints the entire picture. Whether you're preparing to enter the IT field or studying to get ahead, the important lesson here is that finger pointing will get you nowhere. You must be proactive and responsible despite the circumstances.
Far too many executives believe that if you aren't physically working on a system, you must not have enough to do. These managers don't understand what goes into effective systems administration and management and, as a result, set up their IT people for failure. Because IT is often considered "overhead" or "a necessary evil" that sucks from the bottom line, IT departments rarely receive the resources they need.
Yet, despite the challenges, you're hardly powerless. In many cases, IT people simply don't know how to effectively communicate what they do or need in terms of business goals, strategies, and direction. Management doesn't need to know the intricate details of administering systems, but it does need to understand on a general level what systems administration entails and why it's important to the business. You must express these ideas in the language of business, not the language of technology. If you can get business leaders on your side, many of the resource challenges you face will subside or disappear. If you're in a position of influence, you also have the ability (and responsibility) to recommend different solutions. And if you're stretched thin, take responsibility and do what you can. For example, create checklists of tasks and maintenance chores so that nothing falls through the cracks. You might not be able to patch a vulnerability immediately, but you have no excuse if 6 months pass and you haven't taken care of it.
SQL Slammer illustrates the disconnect between vendors, business leaders, and IT. Communication and cooperation must improve. We must overcome our tendencies to lay blame at someone else's feet and work to devise solutions that will prevent scenarios like this from replaying themselves year after year. Don't point fingers; take responsibility and do what you can at your site.
