The Morris Computer Worm or "The same procedure as every year"
As at the beginning of every year, there are again countless forecasts available in 2023 as to the direction in which the cybercrime landscape will develop. However, looking into a crystal ball - even if there are many indications available - is always just a bet on the future. It is therefore more interesting to take a look at the causes of cyberattacks throughout history. And here it quickly becomes clear that, in principle, we have been stumbling over the same three tiger-skin heads again and again for several decades.
Our historical reference goes back to 2 November 1988, the day a dramatic internet worm got its start. Named after computer scientist Robert T. Morris, the malware spread at an alarming rate over 30 years ago and is considered the first major malware attack. The Morris worm had three primary self-replication mechanisms based on three common programming and system management errors:
- Memory mismanagement:
Morris exploited a buffer overflow vulnerability in a popular system network service at the time and achieved RCE (remote code execution).
- Poor password guessing:
Morris used a so-called dictionary attack to guess likely login passwords. He did not have to guess every password - it was enough to crack just one.
- Unpatched systems:
Morris looked for email servers that were set up insecurely but later never updated to fix the dangerous remote code execution hole he abused.
Sound familiar? It should, because broken down collectively, we continued to suffer from the same kind of cybersecurity issues last year and will continue to deal with these "tiger skin heads" in 2023. So basically it's "the same procedure as every year" again this year - we don't need reams of new cybersecurity predictions to have a really good idea of where to start.
In other words: We must not lose sight of the basics when creating cybersecurity concepts and should avoid solving only specific and currently headline-grabbing security problems. Only by getting to grips with the cybersecurity sins of the past can we effectively tackle modern cyber threats.
So what needs to be done? The good news is that when it comes to programming, vendors are getting better at dealing with many of these old-school problems. For example, Sophos is learning to use more secure programming practices, more secure programming languages, and embedding your running code in sandboxes with better behaviour blocking to make it harder to exploit buffer overflows.
We are all getting better at learning to use password managers, although they bring their own fascinating problems. We are becoming more practiced at using alternative identity verification technologies or not relying on simple passwords that we hope no one will predict or guess. But multifactor authentication is even better, and we should use it everywhere we can.
And not only are we getting patches faster from vendors (at least responsible ones - the joke that the S in IoT stands for security still seems to be very current, unfortunately), but we are increasingly showing a willingness to apply patches and updates faster in both private and business environments.
Sophos, like others in the industry, is also a strong advocate of modern CaaS technologies such as XDR and MDR, which means you accept that dealing with cyber-attacks is not just about finding malware and removing it when necessary. These days, much more than a few years ago, vendors tend to spend time not only looking for known bad stuff that needs fixing, but also making sure that the good stuff that's supposed to be there actually is, and actually does something useful.
Sophos also takes more time to proactively look for potentially harmful things, rather than waiting for the proverbial alerts to automatically appear in cybersecurity dashboards. And these are the best prerequisites for putting cybercriminals in their place in 2023 - and elegantly hopping over the tiger's head.