How to protect your company with application and protocol use policies
Computerworld -
It happens all too often that the first time a vulnerability becomes known is when a forensic investigation is under way to find out how a system was broken into, or when a virus that's already spreading is being analyzed.
Whether the vendors knew about the vulnerability a year ago or found out about it this morning, if the exploit code exists when the vulnerability is made public, it's a potential zero-day exploit that can threaten critical assets immediately.
Even after a patch has been created and advertised, there can be an extended period while the patch is tested and deployed on every system. During this time, systems are vulnerable to being exploited. Worse yet, most incidents of attack accelerate after an announcement or release of a patch.
A well-known example is the Slammer worm that targeted Microsoft SQL Servers. A hybrid worm that combined a distributed denial-of-service (DDoS) attack with the automated propagation techniques used by worms such as Code Red had targeted a known vulnerability in SQL Server systems. While signature-based systems are needed to provide overall protection, they aren't sufficient to stop unknown and zero-day exploits and application-level threats. To protect against emerging threats, organizations should consider using the following methods:
Enforce acceptable protocol and application usage
Many attacks target protocols such as HTTP, DNS and FTP. Certain programming errors, such as unchecked buffers, can be exploited by attackers to compromise or damage a system. These attacks exploit loose programming practices in applications and systems. Enforcing acceptable protocol behavior goes beyond checking requests for comments (RFC) and ensures that the data flowing through the network adheres to the policies of the applications running in your environment.
Most application attacks, by their very nature, contain malicious code that would cause the attack packet stream to violate acceptable protocol usage. Simply put, since it's clearly known whether a packet stream complies with acceptable application or protocol usage, any data stream that violates those protocols can be deemed malicious and thus be blocked.
Here's an example: The HTTP 1.0/1.1 protocol allows host names up to any length, so an RFC checker wouldn't bother checking this field. Application usage enforcement knows that since the Domain Name System doesn't allow for host names of more than 256 characters, the best way to stop attacks is through blocking any HTTP request that contains a host-name field with more than 256 characters. With checks like these, a properly configured protection system can block zero-day attacks that might exploit a still-unknown vulnerability in a Web
Security
Additional Resources



White Papers & Webcasts
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Eradicate Spam & Gain 100% Asurance of Clean Mailboxes
Get this paper now!
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Mastering eDiscovery: The IT Manager's Guide to Preservation, Protection & Production
Get this paper now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
