The real threats were not what they expected.
Like Dorothy had to travel her road, the Internet is an essential part of almost every business. And like the road to Oz, our threats also are changing.
Today, we have some interesting shifts happening in threats to our online activities. We need to know what those are to be better prepared to handle the real challenges and avoid the FUD -- fear, uncertainty, and doubt -- that too often surrounds system security.
Typically small and not able to travel on their own, these viruses need users to propagate. We share them by floppy, by macro, and by email. And, generally speaking, it needs a user to press 'enter' or click 'yes' to actually execute. That execution could cause anything from reformatting a hard-drive to having letters drop from a document to the bottom of the screen.
Worms are the next major type of infector. They are self-replicating code that proliferates and clogs networks, and eats CPU cycles.
And then there also are Trojan Horses, which are programs that look like one thing while doing something else. The something else is often a remote access capability, such as sub-seven, that offers almost complete external control of a computer to an unauthorized user.
For all of these, the most common vulnerabilities they exploit tend to be operating system related.
With web-based applications on intranets and the Internet, many of the recent infectors are exploiting applications. SQL was attacked by Slammer. And the Local Security Authority Subsystem Service was hit by Sasser-B.
The web is enabling increased use of hybrids or combinations of malware to attack systems.
The Spread of Hybrids
Some hybrids target applications, like SQL, or features, like Active Directory service functions, that are common in particular operating systems. But the vulnerability is increasingly in the application, rather than in the OS itself.
Hybrid malware may use worm techniques for spreading, a virus to do damage, and then implant a Trojan horse to turn the system into a zombie or remotely controlled proxy or remailer.
Spyware and ad-bots can add to these risks, as can the uncontrolled use of peer-to-peer technologies like kazaa. While ostensibly for market research or file sharing -- 'legal' sharing, only, please -- even well-intentioned uses of such software can open gaping holes in network firewalls. It is these leaky holes that create risk by providing potential attackers with both systems information for exploiting, and personal information that can be stolen and used for identity theft.
The good news is that host and enterprise anti-virus software identifies and stops the lion's share of all of these forms of malicious software.
The bad news is that times are changing -- fast.
The speed with which new infectors are popping up is increasing. The cycle time between knowledge of a vulnerability and the release of an exploit is shrinking. We may not be at the point, yet, where exploits pre-date patches but the trends make that a foreseeable event.
Remember that in practical terms, it's not the release date of the patch, but the time it takes to test and then apply the patch that is a bigger concern to enterprise system managers.
Where does that leave us? How do we defend against faster, nastier, and smarter malware?
Yes, we can. In fact, the concepts are not new and generally are not rocket science. They're simply the diligent application of known principles.
Start with the principle of least privilege (POLP). Don't give people or programs greater access to other data than necessary to do their jobs. Don't log in as ''administrator'' if you're a user writing a word document, even if you also are a sys admin. Turn off unneeded services and programs. Know the system, and manage firewall and router Access Control Lists. Use layers or 'defense in depth' techniques with network anti-virus and intrusion detection systems, as well as host-based approaches.
A thorough understanding of the organization's network is essential.
Simple Network Management Protocol (SNMP) has had a number of widely publicized flaws in the last year or so that generated a call to universally disable it. However, there are programs that rely on SNMP to work. We need to ensure that the ports for SNMP (UDP 161 and 162) are blocked at the borders of any network that has such management systems so they don't go in or out.
Once routers and firewalls are sensibly configured with egress filtering to keep internal information internal, and to prevent external calls that make no sense from getting in, you will have mitigated much of the risk.
You also do not need universal access to your network in order to provide appropriate access to customers and staff. If you need clients or staff to have access, start with authenticated log-on through SSH or other VPN approaches, and then allow access to printing, or any other service.
And that's the key... We manage risk.
Port 445, for example, is used for Microsoft's file and printer sharing, remote registry access, named pipes services, and many MS-RPC services. If we do not need anyone to access our printers across the Internet directly, don't let calls to this port in.
Port 445 is one of the exploit methods of the recent Sasser exploit. Blocking the port reduces a system risk to the exploit regardless of the state of patches.
Clearly, we still need to look out for viruses, Trojans, and worms. And we need to get better and faster at applying patches for operating systems and applications.
If we use known concepts of sensibly configuring a network, we can effectively reduce the risks of damage by new infectors that are popping up faster than ever before. Doing better at reducing the risk is how we ensure our companies stay in business while we read about the high costs others are paying to repair damages wrought by attacks.
Bob Hillery, a former computer and security manager for the U.S. Navy, is a founder of Intelguardians, LLC, a security consultancy. With experience in the corporate, military and academic worlds, he now also is an instructor with the SANS Institute.
To discuss this issue with other IT and security administrators, go to our Forum.