Worm Wars

Computerworld - Christofer Hoff is taking no chances when it comes to protecting his organization against worms and viruses. As the director of enterprise security services at Western Corporate Federal Credit Union (WesCorp), Hoff has put in place a multilayered architecture designed to set as many barriers as possible between the bad guys and his data.

Apart from the usual firewall and antivirus tools, the San Dimas, Calif.-based company, which has $25 billion in assets, has also segmented its networks and deployed an array of intrusion detection and prevention tools, client security products and threat-modeling software. Such defense in depth is precisely what's needed to keep marauding malware at bay these days, say security practitioners such as Hoff.

"The worm problem has completely catalyzed the relevancy of the information security function," says Hoff. "It's not about ROI any longer but about the reduction of risk on investment."

Worms and other malware have been around for years. But several trends are coming together to make them more dangerous than before, users say.

• Worm writers are taking advantage of newly announced software flaws more quickly, giving users less time to defend their systems. Last year's Blaster was considered fast when it exploited a vulnerability in 26 days. This May's Sasser worm took 17 days, while the Witty worm in March was out in one day. And there have been a few "zero-day" exploits, which appear before a flaw has been disclosed or a fix becomes available. Their damage has been limited, but it's only a matter of time before a virulent one is unleashed, experts say. "This is a war. If the users are to win, they have to beat the clock every single time," says Eric Litt, chief information security officer (CISO) at General Motors Corp.
But companies are still taking an average of 60 days to patch their systems, which is too long, says Gerhard Eschelbeck, chief technology officer at Qualys Inc., a Redwood Shores, Calif.-based provider of vulnerability management services. Also, every year half of the most critical vulnerabilities are replaced with new, equally serious ones, he says.
• Exposure to risk is increasing as companies connect their secure networks with those of partners and other third parties. The burgeoning remote and wireless user population adds to the problem.

"There are more avenues that can be attacked, which is why perimeter defenses alone are no longer enough," says Greg Murray, vice president of information security at Information Resources Inc. in Chicago. IRI does market research for some of the world's largest food, consumer goods and pharmaceutical companies.