Computerworld - NEW YORK -- So-called zero-day attacks that take advantage of software vulnerabilities for which there are no available fixes are starting to be viewed as a major threat to data security, said IT managers at the InfoSec 2003 conference here last week.
More than ever, the threat of such attacks underscores the need for companies to set and then require the use of safe-configuration policies for the packaged software and homegrown systems they use, conference attendees said.
They also stressed the importance of having well-developed patching and incident-response capabilities to help minimize the havoc that attacks could wreak.
"I'm very concerned about it," said Joseph Inhoff, LAN administrator at Lutron Electronics Co., a maker of lighting equipment in Coopersburg, Pa. Because zero-day attacks seek to exploit security holes in software products before vendors can plug them, the potential for damage is something that Lutron's management is especially worried about, Inhoff said.
Inhoff attended the InfoSec show to see how automated patching software could help his company respond to zero-day attacks once patches are released by vendors. "I'm trying to figure out what I can do about it," he said.
No major zero-day attacks have been launched so far. But IT managers probably won't have the luxury of being able to put off needed security improvements for long, warned Mary Ann Davidson, chief security officer at Oracle Corp.
Malicious hackers are getting much better and faster at exploiting software flaws, Davidson said during a panel discussion. Last summer's Blaster worm, which was one of the most virulent and widespread ever, hit the Internet barely one month after Microsoft Corp. issued a patch for the Windows flaw that the attack exploited. A variant of Blaster called Nachi struck less than a week later. By comparison, last January's SQL Slammer worm didn't appear until eight months after the discovery of the SQL Server database vulnerability it took advantage of.
"You can see that the time lines are collapsing," Davidson said. The trend suggests that it's only a matter of time before users start seeing attacks against flaws that haven't yet been disclosed, or ones for which patches haven't yet been released, she added.
The number of new vulnerabilities and exploits surfacing on IT security discussion forums and mailing lists are another indication that such attacks aren't far off, said Todd Kunkel, network system security administrator at Adelphi University in Garden City, N.Y.
Kunkel monitors discussion forums on a daily basis to try to keep abreast of new security threats and determine whether work-arounds are possible before attackers exploit the flaws. "I try to find out if there's anything that I need to worry about and see how I can go about fixing it," he said.
The relatively glacial pace at which some companies patch their systems against security holes makes them attractive targets for zero-day attacks as well as conventional ones, said Gerhard Eschelbeck, chief technology officer at Qualys Inc., a Redwood Shores, Calif.-based company that provides vulnerability assessment services.
Every three months, Qualys performs more than 1 million vulnerability scans on behalf of 1,300 clients and "several thousand" prospects, Eschelbeck said. He noted that one scan done last month identified more than 12,000 systems that were vulnerable to a Windows remote procedure call flaw for which no patches were available at the time.
The consequences of zero-day attacks are "potentially devastating" for companies that haven't developed plans for rapidly responding to them, said Dennis Brouwer, a senior vice president at Dublin, Ohio-based SmartPipes Inc., a provider of managed network services.
The only option that IT managers may have if they are caught unprepared by an attack is to shut down their systems and restart, Brouwer said. "It's almost like the response after 9/11," he noted. "The first thing you do is to get all your airplanes on the ground."
How to Mitigate Exposure to Zero-Day Attacks:
REQUIRE vendors to ship software that meets specific safe-configuration requirements.
ENSURE that all default software settings and unneeded features are turned off.
SCAN your network for configuration shortcomings and unpatched systems.
MAKE SURE that you have a good patching process and an incident-response plan in place.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
