Computerworld - Well, I've done it again: I've changed positions. I ended my contract engagement with my old employer and moved on to a high-tech company. I've been brought in to assist in the architectural design, engineering and building of a new IT security infrastructure.
The security infrastructure we have needs a lot of work. A year ago, we had fewer than 1,000 employees. Today, that number exceeds 7,000. We have no security policies, our firewall rule base exceeds 1,500 lines, and we lack a good centralized access control mechanism, security auditing tools and adequate virus protection. In fact, we just suffered a massive Nimda worm infestation, so I've had to hit the ground running.
The Nimda worm, first discovered in September, is nasty in that it uses multiple methods to spread throughout the Internet. One is to attack Web servers running unpatched versions of Microsoft's Internet Information Server (IIS). The worm exploits several known IIS vulnerabilities, and once Nimda installs itself on one server, it searches the Internet for other vulnerable Web servers and starts the process again.
Another method of infestation is by way of LAN-based attacks. After infecting the victim server, the worm adds the "guest" account to the server's administrator group. Since anyone can log on as "guest" without a password, this opens up the system so that anyone on the Internet can log on to the compromised system. Once logged in, attackers can read any file, and in some cases, they may be able to remotely control the server.
LINKS:
This link describes how to use Cisco's network-based application recognition feature to block Nimda packets.
This is the original CERT advisory with details on the Nimda worm.
Earlybird is a free, real-time worm reporting tool. It watches Web logs for suspicious activity and automatically composes and sends an e-mail incident report to the offending network. The report contains the IP address of the attacking system and the decoded string from the packet.
Almost every Unix variant comes with a utility that supports configuring the server's network card to watch network traffic. This paper, "The Secrets of Snoop" by Lance Spitzner, is an excellent introduction to using the Solaris Snoop utility for this purpose.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
