Users Worry About 'Zero-Day' Attacks, Try to Secure Systems
System configuration rules, incident-response plans may reduce threat
Computerworld - NEW YORK -- So-called zero-day attacks that take advantage of software vulnerabilities for which there are no available fixes are starting to be viewed as a major threat to data security, said IT managers at the InfoSec 2003 conference here last week.
More than ever, the threat of such attacks underscores the need for companies to set and then require the use of safe-configuration policies for the packaged software and homegrown systems they use, conference attendees said.
They also stressed the importance of having well-developed patching and incident-response capabilities to help minimize the havoc that attacks could wreak.
"I'm very concerned about it," said Joseph Inhoff, LAN administrator at Lutron Electronics Co., a maker of lighting equipment in Coopersburg, Pa. Because zero-day attacks seek to exploit security holes in software products before vendors can plug them, the potential for damage is something that Lutron's management is especially worried about, Inhoff said.
Inhoff attended the InfoSec show to see how automated patching software could help his company respond to zero-day attacks once patches are released by vendors. "I'm trying to figure out what I can do about it," he said.
No major zero-day attacks have been launched so far. But IT managers probably won't have the luxury of being able to put off needed security improvements for long, warned Mary Ann Davidson, chief security officer at Oracle Corp.
Malicious hackers are getting much better and faster at exploiting software flaws, Davidson said during a panel discussion. Last summer's Blaster worm, which was one of the most virulent and widespread ever, hit the Internet barely one month after Microsoft Corp. issued a patch for the Windows flaw that the attack exploited. A variant of Blaster called Nachi struck less than a week later. By comparison, last January's SQL Slammer worm didn't appear until eight months after the discovery of the SQL Server database vulnerability it took advantage of.
"You can see that the time lines are collapsing," Davidson said. The trend suggests that it's only a matter of time before users start seeing attacks against flaws that haven't yet been disclosed, or ones for which patches haven't yet been released, she added.
The number of new vulnerabilities and exploits surfacing on IT security discussion forums and mailing lists are another indication that such attacks aren't far off, said Todd Kunkel, network system security administrator at Adelphi University in Garden City, N.Y.
Kunkel monitors discussion forums on a daily basis to try to keep abreast of new security threats and determine whether work-arounds are possible before attackers exploit the flaws. "I try to find out if there's anything that I need to worry about and see how I can go about fixing it," he said.
The relatively glacial pace at which some companies patch their systems against security holes makes them attractive targets for zero-day attacks as well as conventional ones, said Gerhard Eschelbeck, chief technology officer at Qualys Inc., a Redwood Shores, Calif.-based company that provides vulnerability assessment services.
Every three months, Qualys performs more than 1 million vulnerability scans on behalf of 1,300 clients and "several thousand" prospects, Eschelbeck said. He noted that one scan done last month identified more than 12,000 systems that were vulnerable to a Windows remote procedure call flaw for which no patches were available at the time.
The consequences of zero-day attacks are "potentially devastating" for companies that haven't developed plans for rapidly responding to them, said Dennis Brouwer, a senior vice president at Dublin, Ohio-based SmartPipes Inc., a provider of managed network services.
The only option that IT managers may have if they are caught unprepared by an attack is to shut down their systems and restart, Brouwer said. "It's almost like the response after 9/11," he noted. "The first thing you do is to get all your airplanes on the ground."
How to Mitigate Exposure to Zero-Day Attacks:
REQUIRE vendors to ship software that meets specific safe-configuration requirements.
ENSURE that all default software settings and unneeded features are turned off.
SCAN your network for configuration shortcomings and unpatched systems.
MAKE SURE that you have a good patching process and an incident-response plan in place.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts