This month marks 20 years since the ILOVEYOU virus hit computer networks. For me, it represented a milestone in my security career. Up until that point security was a technical challenge, solving challenges associate with the global distribution of public keys for secure email exchange. (Aside, I’ve blogged on this many times, it is a challenge still not resolved in a usable way today).
My first exposure to ILOVEYOU is when the Nexor CEO came into our office confessing he may have clicked something, and his computer was now behaving strangely. The remedy was fairly easy, disconnect from the network and rebuild the PC. To be honest, as a technologist, it was quite exciting at the time, seeing a real live virus in action.
The learning was more important. Security was about far more than technology. It’s also about people and process.
I could go on about how the CEO should not have clicked the link, but the last 20 years have shown those links will still be clicked no matter how much education we try. Don’t get me wrong. Education is still vital and will reduce the number of incidents, but incidents will still happen.
The more interesting part of the 20 year old incident, was the learning around incident response. We were able to contain the incident, be we (sort of) knew what were doing and took no risks – we went for a rebuild, despite the inconvenience to the CEO. What we had unwittingly created was an early example of an “incident response plan”. This was about process and relatively simple technical steps (rebuild a PC) and some post event briefings. It was not long after that I started to understand where emerging standards like BS7799, which became ISO 27001, fitted in the over all security story.
This month, 20 years later, I’ve just briefed on of my team who is creating an incident response plan for a customer. Who would have thought such a simple incident would have direct relevance 20 years later!