The Morris-Computerwurm or "The same procedure as every year"

As at the beginning of every year, countless forecasts are again available in 2023 as to the direction in which the cybercrime landscape will develop. However, looking into a crystal ball - no matter how much evidence is available - is always just a bet on the future. It is therefore more interesting to take a look at the causes of cyberattacks throughout history. And here it quickly becomes clear that, in principle, we have been stumbling over the same three tiger-skin heads again and again for several decades now.

Our historical reference goes back to November 2, 1988, the day a dramatic Internet worm got its start. Named after computer scientist Robert T. Morris, the malware spread at an alarming rate over 30 years ago and is considered the first major malware attack. The Morris worm had three primary self-replication mechanisms based on three common programming and system management errors:

1. Memory mismanagement:
   
   Morris exploited a buffer overflow vulnerability in a popular system network service at the time and achieved remote code execution (RCE).


2. Poor password choice:
   
   Morris used a so-called dictionary attack to guess likely login passwords. He didn't have to guess every password - cracking just one was enough.


3. Unpatched systems:
   
   Morris looked for email servers that were set up insecurely but later never updated to fix the dangerous remote code execution hole he abused.

Sound familiar? It should, because even broken down last year, we collectively continued to suffer from the same kind of cybersecurity issues and will continue to deal with those "tiger skin heads" in 2023. So basically it's "the same procedure as every year" again this year - we don't need reams of new cybersecurity predictions to have a really good idea of where to start.

In other words: We must not lose sight of the fundamentals when creating cybersecurity concepts and should avoid solving only specific and currently headline-grabbing security problems. Only by getting to grips with the cybersecurity sins of the past can we effectively tackle modern cyberthreats.

So what's to be done? The good news is that when it comes to programming, vendors are getting better at dealing with many of these old-school problems. For example, Sophos is learning to use safer programming practices and safer programming languages, and to embed your running code in sandboxes with better behavior blocking to make it harder to exploit buffer overflows.

We're all getting better at learning to use password managers, even though they bring their own fascinating problems. We are becoming more proficient at using alternative identity verification technologies or not relying on simple passwords that we hope no one will predict or guess. But even better is multifactor authentication, which we should use wherever possible.

And not only are we getting patches faster from vendors (at least responsible ones - the joke that the S in IoT stands for security still seems to be very current, unfortunately), but we are increasingly showing ourselves willing to apply patches and updates faster in both private and business environments.

Sophos, like others in the industry, is also a strong advocate for modern CaaS technologies like XDR and MDR, which means you accept that dealing with cyberattacks is not just about finding malware and removing it when necessary. Today, much more than a few years ago, manufacturers tend to invest time in not only looking for known bad stuff that needs to be fixed, but also making sure that the good stuff that's supposed to be there is actually there, and it's actually doing something useful.

Sophos also takes more time to proactively look for potentially harmful things, rather than waiting for the proverbial alerts to automatically appear in cybersecurity dashboards. And that's the best way to keep cybercriminals in their place in 2023 - and hopping gracefully over the tiger's head.