Computerworld - Blaster, Nachi and their variants were worms that attacked a Windows security flaw found on most end-user workstations. Companies that were hit with these worms discovered weaknesses in their architectures, processes and procedures that weren't considered important until now. I asked some of my colleagues in information security for their comments and lessons learned. They are summarized here.
How the worm got in
Worms penetrated organizations in several ways. A systems administrator in a branch of the U.S. military described how an employee accessed a personal Web mail account from work, downloaded an infected message and opened the attachment, thereby beginning the spread inside the organization. That user's antivirus software had to have been disabled, or it had an out-of-date signature file.
A systems analyst at a parts-distribution company told me that contractors brought in their laptops and routinely connected them to the corporate network without IT's involvement. Some of those laptops had out-of-date signature files or expired antivirus subscriptions, enabling them to become infected while connected to an unprotected home LAN or hot spot.
A help desk employee at a telecommunications company told of laptops that employees took home and connected to their Digital Subscriber Line or cable-modem Internet connections. Their home LANs and laptops were unprotected by firewalls and were scanned and infected, and upon returning to the corporate network, these systems began the spread internally.
Another scenario involved network connections between companies. The parts-distribution company mentioned earlier used router-based virtual private network (VPN) technology to encrypt network traffic between companies. The company on the far end of the VPN link was hit pretty hard with Blaster, filling the VPN connection with Blaster scanning traffic that was then able to begin infecting systems on the near side of the VPN connection. The trouble in this case was that the VPN connection, while encrypted, didn't have a firewall. The company permitted all network traffic from the other company to pass unhindered, including Blaster worm scanning traffic.
In all of these cases, antivirus software wasn't working, was expired or wasn't updating virus signature files often enough, or at all.
How the worm spread
Once an infected system began scanning for more systems, any systems lacking the security patch and up-to-date antivirus signatures also became infected.
Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.
He can be reached at email@example.com.
His Web site is www.hartgregorygroup.com.
- Organizations need better control over computers they don't own and other devices being connected to their internal networks. This can be achieved through policy, awareness and enforcement. For example, Dynamic Host Configuration Protocol (DHCP) servers should be made smarter about allocating IP addresses only to systems they recognize and not just any device on the network capable of generating a DHCP request.
- Organizations are learning that the network perimeter exists in many places besides the Internet firewall. Connections to other organizations, and even connections within organizations, also need to have firewalls. Company laptops need to take a little piece of the perimeter with them when they travel outside the corporate firewall. Organizations need to consider installing personal firewall software on laptops to protect them from external threats when they're connected to the Internet via an unfirewalled home network or hot spot.
- Antivirus software is only as good as its signature files are up-to-date. This can be challenging in large, distributed organizations. Nevertheless, more care over antivirus software and the mechanisms used to update signature files may be in order for many organizations.
- Companies that had scaled back their PC support departments were hit hard because they didn't have enough resources to disinfect systems quickly. As a result, some companies spent several days trying to keep up with cleaning infected systems and taking calls from users complaining of slow networks. Companies that had outsourced PC support to off-site organizations also felt the pain, since there were no on-site PC technicians to install patches when they needed to be physically present to do so.
While most of these lessons have been best practices for years, I hope organizations that were hit with Blaster or Nachi put these lessons into practice before the next Internet worm makes the rounds.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!