|
|
 |
| Stay on Top of the Latest
Security Threats |
Researchers predict that a new
kind of worm will spread havoc in a matter of minutes or even seconds.
Here's how to mount a proper defense.
In retrospect, the names seem almost quaint: Melissa, LoveLetter,
AnnaKournikova. Disruptive and damaging though they were, these
worms/viruses already seem part of a bygone era. After all, they
relied on users to open an email message before they could propagate
further, and they often took days or even weeks to wreak their havoc.
A mere perusal of the names affixed to the latest worms -- Code
Red, Nimda, Slammer -- shows how the stakes have changed. With these
so-called "blended threats," an infected machine can infect
other machines without relying on any user interaction at all. That
means infections that spread in a matter of hours or even minutes.
Unfortunately, security experts don't expect the pace to slow anytime
soon. A look at their terminology shows why: future threats are
described with names like "Day Zero," "Warhol"
(for its purported ability to knock out the Web in 15 minutes),
and "Flash." Prepare to fast-forward to the future.
A new breed of threat
Blended threats like Code Red and Nimda were effective because they
combined the most devastating characteristics of viruses, worms,
Trojan horses, and malicious code to exploit existing computer and
Internet vulnerabilities. (Nimda, for example, had five methods
of propagation.) By utilizing these multiple methods, blended threats
can quickly defeat computer systems that employ just one form of
Internet security, allowing them to spread rapidly and cause widespread
damage.
Typically these exploits occurred quite some time after a vulnerability
was identified, and that time in between is called the "vulnerability
threat window." Nimda and Slammer had vulnerability threat
windows of many months, leaving plenty of time for the vendor to
create a patch and the public to be warned, thus reducing potential
threat damage. On average, exploits are created six months after
a vulnerability is publicly disclosed.
But in the case of a hypothetical Day Zero attack, security experts
anticipate infections that spread in a matter of minutes or seconds
and are impervious to human intervention. They point out that the
Slammer worm, launched this past January, spread hundreds of times
faster than Code Red or Nimda, its infection rate doubling every
8.5 seconds during the first galvanic minute of its attack. Indeed,
computer scientists at the University of California in San Diego
found that within 10 minutes of its debut, Slammer had infected
more than 75,000 vulnerable hosts. In addition, they found that
Slammer's software instructions, at 376 bytes, were about one-tenth
the size of Code Red's; the tiny size enabled it to reproduce rapidly
and to fit into a type of network "packet" that was sent
one-way to potential victims, an aggressive approach designed to
infect all vulnerable machines rapidly and saturate the Internet's
bandwidth.
On the horizon?
The conclusions that security experts draw from these blended threats
point to a Day Zero attack that will occur when it becomes possible
for an exploit to be created and released immediately after a vulnerability
is discovered, leaving no time for computer administrators or users
to respond. Such an attack would likely use "hit lists"
to target vulnerable Internet hosts and equipment, such as routers,
rather than scanning aimlessly, as was the case with Code Red and
Nimda. Researchers have also focused on the threat posed by so-called
"surreptitious" worms that spread more slowly but in a
much-harder-to-detect fashion. Though still confined to the realm
of theory, these worms have been shown capable of subverting upwards
of 10,000,000 Internet hosts. Even more disturbing, researchers
have shown how such worms could be controlled and updated by attackers
almost indefinitely. The bottom line is hard to ignore: As we move
from blended threats to Day Zero attacks, we can expect disruptions
that are major rather than short-term.
Protection strategies
The rise of this new kind of cyber-threat necessarily entails a
shift in the profile of the attacker. Forget about amateur programmers
or "script kiddies" whose attacks provided the means to
a little fame or notoriety (and maybe a few credit card numbers).
Day Zero attackers will be a different breed altogether, experts
say; they will be better funded and more dedicated, more likely
than not to be associated with organized crime or terrorist organizations.
So how can businesses protect themselves from such attackers?
Security experts agree that implementing best practices remains
the best way to minimize harm. In particular, that means removing
unneeded services, keeping patches up-to-date, and enforcing strong
passwords.
- Remove unneeded services. Organizations need to determine
which services they truly require and remove any that are unnecessary.
Eliminating unneeded services can dramatically reduce system vulnerability.
For example, there is no reason to run a Windows NT Server with
IIS Web Server on an employee's desktop computer; removal of IIS
from company desktops will preemptively defeat attacks that are
designed to exploit such vulnerabilities.
- Keep patches up-to-date. Most blended threats are based
on known vulnerabilities. Keep operating systems, applications,
and security products up-to-date with the latest security patches.
This will seal off many open doors that blended threats have used
in the past to spread.
- Enforce strong passwords. The use of strong passwords
enforced through consistent and frequent vulnerability assessment
can help mitigate the most common exploit: brute-force password
attacks. Passwords should be randomly chosen and should not be names
or important dates. A good password will be at least eight characters
long and include both letters and numbers. A policy that requires
users to change their passwords regularly also reduces the risk
of a system breach.
Businesses that want to go beyond best practices may want to consider
implementing what is called security-in-depth. The aim of security-in-depth
is to create a defensive barrier that is extremely difficult and
costly to circumvent through a combination of antivirus software,
content filtering, firewall, vulnerability management, and intrusion
detection. When these defenses are used together, they can slow
down or prevent an attack from spreading by quarantining the code,
alerting you to its presence, repairing the damage, or blocking
it out completely.
A combination of best practices and security-in-depth provides the
strongest line of defense against today's -- and tomorrow's -- complex
cyber-attacks. Businesses should also use a layered approach to computer
security by implementing security products at all levels of their
network (desktop, server, and Internet gateway). Finally, and perhaps
most importantly, all employees should be regularly trained on how
to recognize and avoid sophisticated Internet threats.
|
 home |
find
a solution |
library |
tech
resources |
|
|
