Zero-day attacks that take advantage of software vulnerabilities for which there are no available fixes are emerging as a major threat to corporate security.
More than ever, the threat underscores the need for companies to have safe configuration policies for software and systems, as well as good incident-response and patching capabilities, said users at the InfoSec 2003 trade show here in New York last week.
"I'm very concerned about it," said Joseph Inhoff, LAN administrator at Lutron Electronics, a manufacturer of lighting equipment in Coopersburg, Pa.
Because such attacks take advantage of flaws before software makers can fix them, the potential for damage from so-called zero-day exploits is something Lutron's management is especially worried about, Inhoff said. "I'm trying to figure out what I can do about it," said Inhoff, who was at the show to see how automated patching software could help bolster the company's response capabilities to such attacks.
Although they've been seen as a major security threat for some time, there haven't yet been any major zero-day attacks.
But users won't have to wait for long, warned Mary Ann Davidson, chief security officer at Oracle, a member of a panel discussing the topic at this week's event.
For one thing, malicious hackers are getting better and faster at exploiting flaws, Davidson said. Last summer's Blaster worm, one of the most virulent and widespread ever, hit the Internet barely a month after Microsoft released a patch for the software flaw it exploited. A variant called Nachi, carrying a dangerous payload, hit users less than a week later. In contrast, January's SQL Slammer worm took eight months to appear after the vulnerability it targeted was first disclosed.
"You can see that the time lines are collapsing," said Davidson. That trend suggests it's only a matter of time before users see attacks against flaws not yet disclosed or for which no patches are available, she said.
The number of new vulnerabilities and exploits surfacing on security newsgroups is another indication that such attacks aren't far off, said Todd Kunkel, network systems security administrator at Adelphi University, a Garden City, N.Y-based school with more than 7,500 students.
Kunkel monitors such groups on a daily basis to try to keep abreast of new flaws and see if work-arounds are possible before any exploit code becomes available. "I try to find out if there is anything that I need to worry about and see how I can go about fixing it," he said.
The relatively glacial pace at which some corporations patch their systems against known vulnerabilities also makes them attractive targets for both conventional and zero-day attacks, said Gerhard Eschelbeck, chief technology officer at Qualys in Redwood Shores, Calif.
Every quarter, Qualys conducts over 1 million vulnerability scans on behalf of 1,300 clients and "several thousand" prospects, Eschelbeck said. One such scan in November showed that over 12,000 systems were vulnerable to a flaw in a Microsoft Windows Remote Procedure Call function for which no patches were available.
The consequences can be "potentially devastating" for companies, said Dennis Brouwer, a senior vice president at SmartPipes, a Dublin, Ohio-based provider of managed networked services. "Your services will depend entirely on how quickly you are able to respond to such attacks," he said.
Having good processes in place for real-time vulnerability scanning and automated patching are key, Davidson said. It's also crucial for users to ensure that their software vendors are meeting specific safe-configuration requirements when products are shipped.
U.S. Federal agencies are already headed down that path. The U.S. Department of Energy in September signed a contract with Oracle under which the software vendor is required to meet a checklist of security settings when shipping software to the agency. Such measures are a good way to mitigate exposure to zero-day threats that take advantage of weak default settings, Davidson said.