Last June, it seemed the onslaught would never end. One after another, a progression of worms and other malware threatened to bring down systems as enterprises floundered in a morass of unpatched vulnerabilities and malicious emails opened by unwary employees.
The worms did more than just annoy. Organisations ranging from the US Marines to CSX, one of the largest transportation companies in the world, found themselves temporarily out of business. At CSX, the Nachi worm took out the sprawling railroad’s signalling systems, stranding train traffic for nearly two days.
This summer, things appear to have calmed down. New worm attacks have dropped to a lower level — but that doesn’t mean the threat is gone.
It may seem as though the best way to cope with worms is to accept defeat, but that’s not true. You need to stay on your toes and keep up with new techniques for dealing with these worms as they are developed. The best worm defence means doing what you’ve always done — keep your antivirus software up to date, and patch, patch, patch — and backing it up with cultural changes that emphasise the value of security.
Worms at work
Worms do their damage quickly, and they’re getting faster. During one testing session in October, an unprotected server being used by InfoWorld at the University of Hawaii’s Advanced Network Computing Lab was infected by Nachi in less than 12 minutes. Worse, there is evidence reported by Symantec’s Deep Sight (currently being tested in InfoWorld’s labs) that penetration attempts are on the increase. Are these signs of soon-to-be-released worms?
Right now, it’s impossible to say, but the trends being highlighted by Deep Sight are alarming. Even the experts say we haven’t seen anything yet.
“It will get worse,” CTO of Permeo Technologies, Dr Wei Lu, said. “It’s now a competition [between worm authors].”
“Significant worms are propagating more frequently,” vice-president of engineering at Mazu Networks, Carty Castaldi, said. “The authors are getting more sophisticated.”
This growing sophistication means that worms are spreading by new methods and are doing damage even more effectively.
A security strategist at Computer Associates, Ian Hameroff, agreed: “These [recent] types of worms are a real present danger and threat. Luckily they haven’t been that destructive in terms of destroying data.”
As do other experts, Hameroff is worried that worm creators could combine fast propagation with a destructive payload, such as worms that send private or classified data to an outside location, or destroy or modify data.
Hameroff said “The time between disclosure of a vulnerability by a vendor and the malware that exploits it is getting shorter.” This was further evidence that worm creators are getting faster and better.
Unfortunately, there is no easy way to keep the barbarians and their worms at bay. The best defence is to do as you’ve always done — but with increased vigilance. Check for vulnerabilities, then patch. When you’ve done that, patch some more. And while you’re at it, check for new security tools. Then patch some more.
This patching consumed a lot of people resources, chief information security officer at Prudential Financial, Ken Tyminski, said.
He said the company had been very aggressive with patching.
“When one of these vulnerabilities comes out, everything stops and we start patching everything that needs to be patched,” Tyminski said. “We have consciously made a decision that we will patch as quickly as we possibly can to stay ahead of these things.”
The constant patching was both difficult and expensive, but Tyminski said that it was absolutely necessary given the increasingly destructive nature of worms.
However, Tyminski does more than just patch — a strategy that boosts his worm-fighting abilities and one that other enterprises should take to heart.
He is careful about patching only when it will affect the software he uses. Patching software that you don’t run can cause instability or problems with other, integrated apps, so it’s best to patch only what needs fixing.
Tyminski also takes the time to test those patches before deployment.
“We do a little bit of triage on them,” Tyminski said.
His staff developed a threat profile to determine how quickly it needed to patch any given server, he said.
As another precaution, Prudential is careful about who can access the company network, and what devices and connections they use when they do so. For example, Tyminski uses Sygate’s firewall product to protect individual computers, and he also uses Sygate’s enterprise product to enforce his security policies.
This means that a user calling into the Prudential enterprise can’t be connected to the company VPN and the Internet at the same time, preventing someone from breaking into a remote machine and using it as a pathway into the enterprise. The Sygate software also enforces antivirus status, patch levels on client machines, and even the client’s current firewall software levels.
A six-step program
All of this no doubt seems like a lot of drudgery, and to some extent it is. But it’s no less important than the process of locking the door at night, or keeping valuable documents in a vault. Good security, especially in the case of worms and viruses, means addressing employee and staff training, physical security, and other cultural changes that allow security technologies to do their best work.
CA’s Hameroff said there were six necessary steps, spanning both technical and cultural needs, to keeping your enterprise worm-free.
First, collect vulnerability information. It can come from a number of places, ranging from manufacturers’ published vulnerabilities to chatter on hacker websites. You can also have this information collected for you via vulnerability assessment software.
Next, validate the accuracy of your information. There’s a lot of bad information out there, especially when it comes to worms and other security breaches, and until you know it’s correct, you probably shouldn’t act on it. Of course, you don’t want to delay acting on information too long, or you may be more at risk — checking with a respected source, such as the product manufacturer, should help pin down the exact vulnerability.
Thirdly, form a plan to remediate the vulnerability. This may mean applying the appropriate patches, changing hardware or application configurations, or making policy changes, according to Hameroff.
Then, inventory your environment — you have to know what you have before you can patch it. This may also help you figure out where potential future vulnerabilities lie, so you can proactively address them in future maintenance.
“Stage five is to do an analysis of correlations between your assets and vulnerability knowledge,” Hameroff said.
Here, software tools might be able to help.
Finally, fix the problem and check that you’ve done it correctly.
Watching the horizon
As important as it is to make sure your software is patched, it’s also clear that patches aren’t a perfect solution when worms are the problem. Currently, the time between the discovery of a new vulnerability and the exploit that takes advantage of it may be only two or three days. That’s simply not enough time for a large company — even one that moves aggressively — to apply the patches it needs.
Because they simply examine packets as they enter the enterprise, firewalls have their limitations. They may limit damage, but they won’t stop everything, including most types of worms. Companies thinking that they’re safe with only a firewall in place are deluding themselves.
“You cannot build intelligence that way,” Permeo’s Lu said.
He suggested the real secret to detecting worms lies with examining the behaviour of applications.
Only a few (apps) were running usually so it was relatively easy to keep tabs on their performance, Lu said.
He said that any unexpected behaviour from an application could be a sign of a worm at work.
Castaldi said that future worm warfare would involve building statistical models of the behaviour of applications.
“When there’s anomalous [application] behaviour, it can be used to tell if a worm is propagating and what vector it’s using,” he said.
Just watching an application can tell you a lot about what’s going on in your network, and you can keep an eye on traffic with monitoring tools such as those from Zone Labs and similar vendors.
There’s every reason to believe that the worms of 2004 will be more numerous and more destructive than anything we’ve seen. Many security experts believe that the worms of August 2003 were only a test run — a first attempt to see what could be done with this means of attack.
The next step is to create worms for identity theft, for looting corporate secrets, for stealing financial information or other private material. Imagine the havoc that could be caused by one expert’s example of a worm that searches for a database field labelled “SSN” then randomly changes a single number in each field.
Because of their varied nature and constant evolution, and despite all of the forces arrayed to fight worms, it’s unlikely they will ever be eliminated. Ultimately, enterprises will be limited to managing the threat by triage rather than making worms disappear completely. But with the right tools — and the right practices — it’s possible to keep the threat under control. And getting worms under control is better than the unrestricted spread of damage we’ve already witnessed.