Computerworld - Blaster, Nachi and their variants were worms that attacked a Windows security flaw found on most end-user workstations. Companies that were hit with these worms discovered weaknesses in their architectures, processes and procedures that weren't considered important until now. I asked some of my colleagues in information security for their comments and lessons learned. They are summarized here.
How the worm got in
Worms penetrated organizations in several ways. A systems administrator in a branch of the U.S. military described how an employee accessed a personal Web mail account from work, downloaded an infected message and opened the attachment, thereby beginning the spread inside the organization. That user's antivirus software had to have been disabled, or it had an out-of-date signature file.
A systems analyst at a parts-distribution company told me that contractors brought in their laptops and routinely connected them to the corporate network without IT's involvement. Some of those laptops had out-of-date signature files or expired antivirus subscriptions, enabling them to become infected while connected to an unprotected home LAN or hot spot.
A help desk employee at a telecommunications company told of laptops that employees took home and connected to their Digital Subscriber Line or cable-modem Internet connections. Their home LANs and laptops were unprotected by firewalls and were scanned and infected, and upon returning to the corporate network, these systems began the spread internally.
Another scenario involved network connections between companies. The parts-distribution company mentioned earlier used router-based virtual private network (VPN) technology to encrypt network traffic between companies. The company on the far end of the VPN link was hit pretty hard with Blaster, filling the VPN connection with Blaster scanning traffic that was then able to begin infecting systems on the near side of the VPN connection. The trouble in this case was that the VPN connection, while encrypted, didn't have a firewall. The company permitted all network traffic from the other company to pass unhindered, including Blaster worm scanning traffic.
In all of these cases, antivirus software wasn't working, was expired or wasn't updating virus signature files often enough, or at all.
How the worm spread
Once an infected system began scanning for more systems, any systems lacking the security patch and up-to-date antivirus signatures also became infected.
Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.
He can be reached at firstname.lastname@example.org.
His Web site is www.hartgregorygroup.com.
- Organizations need better control over computers they don't own and other devices being connected to their internal networks. This can be achieved through policy, awareness and enforcement. For example, Dynamic Host Configuration Protocol (DHCP) servers should be made smarter about allocating IP addresses only to systems they recognize and not just any device on the network capable of generating a DHCP request.
- Organizations are learning that the network perimeter exists in many places besides the Internet firewall. Connections to other organizations, and even connections within organizations, also need to have firewalls. Company laptops need to take a little piece of the perimeter with them when they travel outside the corporate firewall. Organizations need to consider installing personal firewall software on laptops to protect them from external threats when they're connected to the Internet via an unfirewalled home network or hot spot.
- Antivirus software is only as good as its signature files are up-to-date. This can be challenging in large, distributed organizations. Nevertheless, more care over antivirus software and the mechanisms used to update signature files may be in order for many organizations.
- Companies that had scaled back their PC support departments were hit hard because they didn't have enough resources to disinfect systems quickly. As a result, some companies spent several days trying to keep up with cleaning infected systems and taking calls from users complaining of slow networks. Companies that had outsourced PC support to off-site organizations also felt the pain, since there were no on-site PC technicians to install patches when they needed to be physically present to do so.
While most of these lessons have been best practices for years, I hope organizations that were hit with Blaster or Nachi put these lessons into practice before the next Internet worm makes the rounds.
Read more about Security in Computerworld's Security Topic Center.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!