Worm wave highlights need for speedier defenses
- 19 August, 2005 07:40
The speed at which hackers were able to take advantage of newly disclosed software flaws makes its vital for companies to look beyond patching to broader and more holistic measures for controlling vulnerabilities, security experts said.
The advice comes in the wake of a wave of worms this week that targeted a flaw in a Plug and Play component of Microsoft's Windows 2000 software.
The worms hit several companies, including The New York Times, CNN, ABC News, Caterpillar Inc. and General Electric Co., and came less than a week after the hole they exploited was disclosed by Microsoft as part of its monthly patch-release cycle (see "Microsoft patches three 'critical' Windows flaws").
The worms, which had names such as W32/Zotob A, W32/Zobot D, W32/Rbot.CBQ and W32/Esbot-A, caused infected systems to repeatedly restart and potentially allowed remote attackers to take control of compromised systems. But the fact that the malware targeted only older Windows 2000 systems meant that the number of infected systems was fairly low, according to estimates by some antivirus vendors.
Even so, the 11 or so worms that were unleashed this week served as a sobering illustration of the ability of hackers to take advantage of new flaws before many companies have a chance to patch them, said John Pironti, principal security consultant at Unisys.
"What has happened is that hackers have adopted new attack techniques," Pironti said. "Instead of going out and looking for vulnerabilites on their own, what they are doing is waiting for patches to be released to see what holes are being fixed," and then going after those holes as quickly as they can, he said.
The trend could leave companies dangerously exposed, especially large ones that typically need time to test and analyse patches before deploying them, he said.
"They have to assume that they are going to be vulnerable to attack from the moment a patch is out," Pironti said. "They need to have countermeasures in place while the patches are tested" and deployed, he said.
Companies need to think about implementing the equivalent of the color-coded threat system used by the US Department of Homeland Security when dealing with newly disclosed flaws, said Dave Jordan, chief information security officer for the government of Arlington County.
"They should conduct business differently than they would day to day" and establish whatever countermeasures they can to mitigate risk as soon as possible, he said.
These measures include doing a thorough threat analysis when new vulnerabilities are announced, understanding what the specific risks are, turning off services and shutting down systems where needed, blocking access to affected ports, and using intrusion-detection sensors to monitor for unusual activity, security experts said.
The vast majority of worms and viruses, including those launched this week, use common attack methods and take advantage of the same flaws, such as buffer overflows, to attack vulnerable systems, said Thor Larholm, a senior security researcher at PivX Solutions, a security software vendor in California.
Instead of relying solely on patches to fix every new flaw, it's better to address some of the common underlying vulnerabilities, he said. "There are multiple ways to protect against entire classes" of vulnerabilties without having to apply patches for each one of them, Larholm said.
For instance, PivX is one of the vendors that sell tools to repair generic buffer overflows in the absence of vendor patches. Similar tools are available for detecting and shutting down port scanners, spotting unusual application behaviors, and for controlling inbound and outbound connections based on protocols, ports and host addresses.
"About 90% of the worms out there can be mitigated against just by hardening your systems," Larholm said. For instance, just disabling so-called null-session accounts, which are enabled by default on Windows 2000 systems, would have prevented this week's worms from taking advantage of the Plug and Play flaw, he said.
"I think what these attacks show is that there is still a fair bit of latency within a lot of companies" between patch release and deployment, said Fred Rica, a partner at PricewaterhouseCoopers in New York.
One way of mitigating risk is to employ better processes for testing and deploying patches, he said. The use of event management and correlation tools to monitor network and security log data for signs that a particular vulnerability may be getting exploited is also a good idea, Rica said.
"Building an event management capability can help you get ahead of some this stuff," he said.