Computerworld - Not only could companies have easily slammed the door on the Slammer worm if they had installed the patch released by Microsoft Corp. six months ago, but they could also have uncovered the vulnerability exploited by the worm using a free benchmark developed jointly by the government and private sector.
Industry experts and users said the Slammer worm should have been a nonissue for companies because the patches and a free tool capable of detecting the vulnerability exploited by the worm were available six months ago. That's important because it would have given companies advance warning that they were vulnerable and more time to test the patch, said users.
In particular, they point to the issuance in July of the Consensus Minimum Security Benchmarks, also known as the Gold Standard. Developed jointly by five federal agencies, including the National Security Agency (NSA) and the FBI's National Infrastructure Protection Center, as well as the SANS Institute and the Center for Internet Security (CIS), the Gold Standard benchmark can be used to test Windows 2000 Professional systems running as workstations for proper configuration. It is available for download at www.cisecurity.org.
Alan Paller, director of research at SANS, said an NSA study of the benchmark concluded that by running it on a network a company could eliminate more than 90% of known vulnerabilities. And the database-specific vulnerabilities exploited by the Slammer worm would have been among those found, he said.
Pat Hymes, vice president of Corporate Information Security at Wachovia Corp., a CIS member company based in Charlotte, N.C., said properly configured servers are an absolute necessity for security. But maintaining service packs and "hot fixes" can be a challenge for any organization.
"It can take a great deal of time and energy to download, test and implement service packs and hot fixes, especially in large organizations, where they can impact hundreds of applications and thousands of servers," said Hymes. "Software companies, like Microsoft, have to accept more accountability for this situation. The total cost of ownership for servers running some of these distributed OSs, databases and Web software [is] going through the roof due to the manpower being expended to maintain patches and respond to events like the SQL Slammer worm."
Hymes added that the Gold Standard benchmark serves as an "excellent baseline" for security testing. And because it's available for free, "there's no reason not to use it."
The challenge remains awareness, said Clint Kreitner, president of CIS, a Hershey, Pa.-based nonprofit security standards consortium of more than 170 companies. "We continue to fight an uphill battle getting the message out to organizations that competent security configuration and up-to-date patching is one thing that everyone can and should do to make a huge difference in making their systems more secure," Kreitner said.
Maurice Rieffel, an IT security analyst at a major energy company in Louisiana, said, for example, that he was aware of the benchmark but didn't know it tested for the SQL database vulnerability exploited by Slammer.
Claude Bailey, an IT security analyst at one of the nation's largest financial management firms, said that while the Gold Standard is a good starting point, his security administrators say the problem isn't in detecting the vulnerability but in deploying the patches and fixes across an organization of 50,000 employees -- and guaranteeing that the patch won't cause more problems.
"We tested the original patch [for the SQL vulnerability], and it had problems," said Bailey. Now, with the financial firm in the middle of tax season, there's too much to lose to deploy patches that break other parts of the network. As a result, the company has placed a freeze on any such maintenance until tax season is over.
Roger Davis, an IT auditor at a global skin and body care products company in Utah, said a few hours upfront using the Gold Standard would have saved many companies hundreds of man-hours later.
Said Bailey, "If you decide not to patch something, you're dead."
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts