Computerworld - You've just learned that a new worm from a former Soviet country is spreading fast because it doesn't rely on e-mail – it automatically exploits a vulnerability in Microsoft's Internet Information Server. Now what? Do you cancel your evening plans and stay late testing patches, or can you safely ignore this worm?
Network administrators face similar questions hundreds of times each year. With your company's electronic treasures at stake, you need a consistent paradigm to help evaluate whether each new threat deserves a yawn, a fire drill or something in between.
What follows is a checklist of nine questions to help you weigh the significance of any new threat.
1. Does the new threat affect software we use? No? Then you're in the clear. But don't answer too hastily. Your policy might forbid, say, AOL Instant Messenger, but that doesn't mean it's not on your network. Read up on some of the applications that users like to sneak onto their machines – most commonly peer-to-peer file sharing, instant messaging applications, media players and IRC. Find out which port numbers they use, then check your firewall logs for outbound traffic on those ports.
Also, don't fall for this one: "If I haven't heard of it, it's probably not on my network." Read security bulletins thoroughly before deciding that the vulnerable software isn't on your network.
2. Is this exploit an insider threat or from the outside? Attackers from within are usually easier to track because they use a range of IP addresses and MAC addresses you know. Plus, insiders know they could lose their jobs for attacking you.
Attackers from outside your network have the entire Internet in which to hide, and they know you can't touch them. Therefore, threats from the outside are more worrisome than threats that can be exploited only locally. When you read about a new vulnerability, watch for red-flag terms like "executed remotely," "remote root" and "external."
The rule of thumb: If it's a threat that can be exploited externally, treat it with more urgency.
3. How difficult is this exploit? Some widely reported vulnerabilities are so tricky to exploit that they're more theoretical than real. Other attacks are as simple as logging on without entering a password.
Any additional complexity in the attack, whether on the attacker's part or the victim's, reduces the number of hackers who will try the attack and lessens the chances of it succeeding.
The most aggressive attackers are barely knowledgeable script kiddies who don't truly know programming. So the rule of thumb is, if it requires a genius (or a ton of labor) to launch the attack, chances are, it won't come your way. If executing the attack is simple, take it very seriously.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
