Computerworld - Blaster, Nachi and their variants were worms that attacked a Windows security flaw found on most end-user workstations. Companies that were hit with these worms discovered weaknesses in their architectures, processes and procedures that weren't considered important until now. I asked some of my colleagues in information security for their comments and lessons learned. They are summarized here.
How the worm got in
Worms penetrated organizations in several ways. A systems administrator in a branch of the U.S. military described how an employee accessed a personal Web mail account from work, downloaded an infected message and opened the attachment, thereby beginning the spread inside the organization. That user's antivirus software had to have been disabled, or it had an out-of-date signature file.
A systems analyst at a parts-distribution company told me that contractors brought in their laptops and routinely connected them to the corporate network without IT's involvement. Some of those laptops had out-of-date signature files or expired antivirus subscriptions, enabling them to become infected while connected to an unprotected home LAN or hot spot.
A help desk employee at a telecommunications company told of laptops that employees took home and connected to their Digital Subscriber Line or cable-modem Internet connections. Their home LANs and laptops were unprotected by firewalls and were scanned and infected, and upon returning to the corporate network, these systems began the spread internally.
Another scenario involved network connections between companies. The parts-distribution company mentioned earlier used router-based virtual private network (VPN) technology to encrypt network traffic between companies. The company on the far end of the VPN link was hit pretty hard with Blaster, filling the VPN connection with Blaster scanning traffic that was then able to begin infecting systems on the near side of the VPN connection. The trouble in this case was that the VPN connection, while encrypted, didn't have a firewall. The company permitted all network traffic from the other company to pass unhindered, including Blaster worm scanning traffic.
In all of these cases, antivirus software wasn't working, was expired or wasn't updating virus signature files often enough, or at all.
How the worm spread
Once an infected system began scanning for more systems, any systems lacking the security patch and up-to-date antivirus signatures also became infected.
Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.
He can be reached at firstname.lastname@example.org.
His Web site is www.hartgregorygroup.com.
- Organizations need better control over computers they don't own and other devices being connected to their internal networks. This can be achieved through policy, awareness and enforcement. For example, Dynamic Host Configuration Protocol (DHCP) servers should be made smarter about allocating IP addresses only to systems they recognize and not just any device on the network capable of generating a DHCP request.
- Organizations are learning that the network perimeter exists in many places besides the Internet firewall. Connections to other organizations, and even connections within organizations, also need to have firewalls. Company laptops need to take a little piece of the perimeter with them when they travel outside the corporate firewall. Organizations need to consider installing personal firewall software on laptops to protect them from external threats when they're connected to the Internet via an unfirewalled home network or hot spot.
- Antivirus software is only as good as its signature files are up-to-date. This can be challenging in large, distributed organizations. Nevertheless, more care over antivirus software and the mechanisms used to update signature files may be in order for many organizations.
- Companies that had scaled back their PC support departments were hit hard because they didn't have enough resources to disinfect systems quickly. As a result, some companies spent several days trying to keep up with cleaning infected systems and taking calls from users complaining of slow networks. Companies that had outsourced PC support to off-site organizations also felt the pain, since there were no on-site PC technicians to install patches when they needed to be physically present to do so.
While most of these lessons have been best practices for years, I hope organizations that were hit with Blaster or Nachi put these lessons into practice before the next Internet worm makes the rounds.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts