Federal security organizations repel Blaster worm

Computerworld - WASHINGTON -- Despite the rapid spread of the Blaster worm this week, it apparently had little or no effect on government agency operations here and around the country.
Although analysts said the worm might have cost the private sector several hundred million dollars in repairs and downtime, federal officials credited their ability to stop the worm to a solid security process -- bolstered by a determination to rid systems of the vulnerability long before it could be exploited.
Dave Wray, a spokesman for the U.S. Department of Homeland Security, said the relatively minor impact of the Blaster worm on federal operations "indicates that federal agencies have gotten the word and taken appropriate actions to prevent exploitation of this vulnerability. ... [The government's] patch management program seems to be working."
Tom Pyke, CIO at the U.S. Department of Commerce, said his agency first learned of the vulnerability last month through the Federal Computer Incident Response Center. The center, along with the Office of Management and Budget, held a teleconference at the time with all federal CIOs to discuss the potential impact of the flaw on federal operations, he said.
"At that point, we undertook a crash effort using a process we've had in place for the last year," said Pyke, whose agency dedicates $80 million to IT security out of a total IT budget of $1.5 billion. "Our initial determination was that many of our systems were already protected through routine updates, and the rest of them were protected in very short order through either automated patching or restrictions to router tables that isolated the systems until they could be patched," he said. As a result, the Commerce Department had no reported infections by the Blaster worm across its more than 39,900 systems.
A similar success story comes from Lawrence Livermore National Laboratory, where more than 10,000 systems were patched before the worm ever showed its head on the Internet.
"At one point, we were sitting around waiting for a worm to develop because our security director correctly conjectured that the transport vehicle [for the exploit] was going to be a worm," said Kenneth Neves, CIO at Lawrence Livermore. "But we didn't wait for a worm or a signature. I likened it to treating a sick patient vs. getting an immunization. Had we taken the standard approach, which is to wait for the signature to appear, we would have been compromised. We would have had a major problem."
The worm, also known as Lovsan, takes advantage of a known vulnerability in a Windows component called the Distributed Component Object Model interface, which handles messages sent using the remote procedure call (RPC) protocol. RPC is a common protocol that software programs use to request services from other programs running on servers in a networked environment.
Neves credited the California-based lab's security chain of command, which has someone responsible for security initiatives at each level.
Mark Graff, chief cybersecurity officer at Lawrence Livermore, said the policies at the lab gave his team plenty of time to deal with the threat. And even though most of the lab's patch-deployment process is automated, many of the unique systems used by scientists had to be fixed manually.
Lab officials also learned some important lessons in dealing with the Blaster worm, said Graff. "There are very complicated trade-offs in trying to decide exactly how far to go in making special adjustments to the firewall," he said. "We had a team looking at exactly which additional ports, if any, we needed to block. And we have to ask ourselves in every instance what the operational impact would be."
At the U.S. Department of Defense, the Joint Task Force for Computer Network Operations (JTF-CNO) sent an urgent message on July 25 to combatant commanders and service agencies to apply the patches needed to fix the vulnerability.
"The JTF-CNO also directed actions that are designed to block or limit any attempts at exploitation, and we are currently assessing and investigating sensor data and incident reports," said Timothy McFadden, a spokesman for the JTF-CNO. "Attempts to hijack or degrade the Internet are simply a fact of modern life. DOD computer systems are attacked every day."
A senior official at the Port Authority of New York and New Jersey who requested anonymity said port authority operations weren't affected by the worm. But the agency still faces the usual challenges of balancing a need to test new patches with the need to get a fix out in the field quickly.
The real question, said the official, "is when is Microsoft going to deliver on its commitment to develop more secure software?"