Free benchmark could have found Slammer vulnerability

Computerworld - Not only could companies have easily slammed the door on the Slammer worm if they had installed the patch released by Microsoft Corp. six months ago, but they could also have uncovered the vulnerability exploited by the worm using a free benchmark developed jointly by the government and private sector.
Industry experts and users said the Slammer worm should have been a nonissue for companies because the patches and a free tool capable of detecting the vulnerability exploited by the worm were available six months ago. That's important because it would have given companies advance warning that they were vulnerable and more time to test the patch, said users.
In particular, they point to the issuance in July of the Consensus Minimum Security Benchmarks, also known as the Gold Standard. Developed jointly by five federal agencies, including the National Security Agency (NSA) and the FBI's National Infrastructure Protection Center, as well as the SANS Institute and the Center for Internet Security (CIS), the Gold Standard benchmark can be used to test Windows 2000 Professional systems running as workstations for proper configuration. It is available for download at www.cisecurity.org.
Alan Paller, director of research at SANS, said an NSA study of the benchmark concluded that by running it on a network a company could eliminate more than 90% of known vulnerabilities. And the database-specific vulnerabilities exploited by the Slammer worm would have been among those found, he said.
Pat Hymes, vice president of Corporate Information Security at Wachovia Corp., a CIS member company based in Charlotte, N.C., said properly configured servers are an absolute necessity for security. But maintaining service packs and "hot fixes" can be a challenge for any organization.
"It can take a great deal of time and energy to download, test and implement service packs and hot fixes, especially in large organizations, where they can impact hundreds of applications and thousands of servers," said Hymes. "Software companies, like Microsoft, have to accept more accountability for this situation. The total cost of ownership for servers running some of these distributed OSs, databases and Web software [is] going through the roof due to the manpower being expended to maintain patches and respond to events like the SQL Slammer worm."
Hymes added that the Gold Standard benchmark serves as an "excellent baseline" for security testing. And because it's available for free, "there's no reason not to use it."
The challenge remains awareness, said Clint Kreitner, president of CIS, a Hershey, Pa.-based nonprofit security standards consortium of more than 170 companies. "We continue to fight an uphill battle getting the message out to organizations that competent security configuration and up-to-date patching is one thing that everyone can and should do to make a huge difference in making their systems more secure," Kreitner said.
Maurice Rieffel, an IT security analyst at a major energy company in Louisiana, said, for example, that he was aware of the benchmark but didn't know it tested for the SQL database vulnerability exploited by Slammer.
Claude Bailey, an IT security analyst at one of the nation's largest financial management firms, said that while the Gold Standard is a good starting point, his security administrators say the problem isn't in detecting the vulnerability but in deploying the patches and fixes across an organization of 50,000 employees -- and guaranteeing that the patch won't cause more problems.
"We tested the original patch [for the SQL vulnerability], and it had problems," said Bailey. Now, with the financial firm in the middle of tax season, there's too much to lose to deploy patches that break other parts of the network. As a result, the company has placed a freeze on any such maintenance until tax season is over.
Roger Davis, an IT auditor at a global skin and body care products company in Utah, said a few hours upfront using the Gold Standard would have saved many companies hundreds of man-hours later.
Said Bailey, "If you decide not to patch something, you're dead."