Worm Wars

Companies are throwing up layers of protection as new worms and viruses appear at an ever-quickening pace.

Christofer Hoff is taking no chances when it comes to protecting his organization against worms and viruses. As the director of enterprise security services at Western Corporate Federal Credit Union (WesCorp), Hoff has put in place a multilayered architecture designed to set as many barriers as possible between the bad guys and his data.

Apart from the usual firewall and antivirus tools, the San Dimas, Calif.-based company, which has $25 billion in assets, has also segmented its networks and deployed an array of intrusion detection and prevention tools, client security products and threat-modeling software. Such defense in depth is precisely what's needed to keep marauding malware at bay these days, say security practitioners such as Hoff.

"The worm problem has completely catalyzed the relevancy of the information security function," says Hoff. "It's not about ROI any longer but about the reduction of risk on investment."

Worms and other malware have been around for years. But several trends are coming together to make them more dangerous than before, users say.

Worm writers are taking advantage of newly announced software flaws more quickly, giving users less time to defend their systems. Last year's Blaster was considered fast when it exploited a vulnerability in 26 days. This May's Sasser worm took 17 days, while the Witty worm in March was out in one day. And there have been a few "zero-day" exploits, which appear before a flaw has been disclosed or a fix becomes available. Their damage has been limited, but it's only a matter of time before a virulent one is unleashed, experts say. "This is a war. If the users are to win, they have to beat the clock every single time," says Eric Litt, chief information security officer (CISO) at General Motors Corp.

But companies are still taking an average of 60 days to patch their systems, which is too long, says Gerhard Eschelbeck, chief technology officer at Qualys Inc., a Redwood Shores, Calif.-based provider of vulnerability management services. Also, every year half of the most critical vulnerabilities are replaced with new, equally serious ones, he says.

Exposure to risk is increasing as companies connect their secure networks with those of partners and other third parties. The burgeoning remote and wireless user population adds to the problem.

"There are more avenues that can be attacked, which is why perimeter defenses alone are no longer enough," says Greg Murray, vice president of information security at Information Resources Inc. in Chicago. IRI does market research for some of the world's largest food, consumer goods and pharmaceutical companies.

Worms are being released at an ever-increasing rate, and they're becoming more lethal. Four of the five worst mass outbreaks of worms—MyDoom, NetSky, Bagle and Sasser—have taken place this year. Antivirus firm Symantec Corp. has rated more threats at Category 4—its most severe—in the first part of 2004 than it did in all of 2003. For instance, MyDoom infected systems and then used them as launch pads for denial-of-service attacks against Microsoft Corp. and The SCO Group Inc. Other worms have attempted to block infected systems from downloading patches and antivirus updates, while others have been used to install back doors and steal data.

"The day of the digital Pearl Harbor that a lot of people have been talking about is fast approaching," says Jamie Chanaga, CISO at Geisinger Health System in Danville, Pa.

Preparing for that emergency requires a security architecture capable of automatically detecting and blocking threats, both known and unknown, says Litt. "The dominant [antivirus] technologies today are those that filter out infections based upon signatures," he says. This approach works only with known vulnerabilities and exploit code. Given the shortening time between vulnerability disclosures and exploit availabilities, that simply isn't enough, Litt says.

"The core reason why worms and viruses are so effective is that it is not always feasible for companies to patch production systems right away," says Chanaga. The goal should be to have enough defense layers so that a breach of one layer won't compromise your ability to do business, Litt says.

In WesCorp's case, the company's networks have been segmented by application function and business value. For instance, all of its SQL servers sit on one segment, and its mail servers sit on another. Each network segment is protected by an array of intrusion detection and prevention systems, and deep packet-inspection firewalls and signature-based antivirus technologies conduct filtering.

WesCorp uses a server-based scanning technology from WholeSecurity Inc. in Austin to scan client or partner systems for Trojan horses, spyware and other malicious code before letting another party log into its corporate network. A Qualys third-party vulnerability management service scans for holes and helps WesCorp quickly prioritize the assets that need to be protected in the event of an attack. Also deployed is software from Skybox Security Inc. in Palo Alto, Calif., that combines firewall, router, network and vulnerability data to model attacks.

Technology from Crossbeam Systems Inc. in Concord, Mass., allows WesCorp to consolidate the management of all of its security components. The result is impressive, but not perfect, security. "We will never be able to bring down the risk to zero," Hoff says.

It's crucial to install host firewalls, virtual private network support and intrusion-detection technologies on all endpoint devices and to have ways to enforce compliance with clients and business partners, says Murray. He uses a tool from Check Point Software Technologies Ltd. to do all of that.

"The days when you could simply have a titanium outer shell are over, considering you have to open your networks to trading partners, vendors and other institutions," Chanaga says.

Real-time monitoring of the network and all systems connected to it is also crucial for detecting vulnerabilities and prioritizing responses, says Chanaga, who is using Qualys to do both.

Lesson Learned

Sallie Mae Inc. has revamped much of its worm mitigation strategy after being badly mauled by the Nimda worm in September 2001, says Marc Houpt, the company's information security architect. Since then, Reston, Va.-based Sallie Mae has signed up with New York-based MessageLabs Inc. to scan its 80,000 daily e-mails and filter out executable files and other suspicious extensions. It has deployed antivirus software from Computer Associates International Inc. on all servers and workstations and has increased the frequency of its searches for updated virus signatures from twice a day to every four hours. The company's workstations check with the master antivirus server every 15 minutes.

Sallie Mae's information security team has also been given greater authority to make spot decisions about worms and viruses, Houpt says. When MyDoom started spreading, he was able to quickly convince his superiors to shut down the e-mail servers until the problem was fixed. Previously, such a shutdown would have required "two or three levels of authorization and a very strict on-the-spot change-control process," he says. "Now all it requires is a consensus between the network manager and myself."

It's important to keep certain issues in mind when deploying such a multilayered defense, users say.

The biggest is the integration of the various technology components. Where possible, it's important to use buying power to get vendors to do the integration for you before agreeing to buy a product, Hoff says.

Having a multilayered strategy also does little good without comprehensive analytical and reporting capabilities to interpret and present the information that's gathered by such systems, Murray says.

"More security technologies doesn't make you more secure; better management does," says Sam Curry, a vice president at CA.

And don't underestimate the support issues. For instance, integrating security into endpoint devices will inevitably result in more calls to the PC help desk, requiring the information security group to assume responsibility for some of the cost burdens as well, Hoff says. So end-user training is an essential component of any worm mitigation strategy.

Ironically, regulations can sometimes get in the way. For example, Geisinger is unable to deploy much-needed patches and antivirus software on exposed Windows-based clinical systems because it will break the FDA certification on those systems, Chanaga says.

The effort also needs to be balanced against business needs, Houpt says. For instance, when the information security team gets the authority to shut down crucial servers, it must have a very good understanding of a problem's potential effect, he says.

"Your infosec team needs to have the technical know-how and the credibility to make an impact assessment, and the user teams need to be able to trust that knowledge," Houpt says.



As this graph illustrates, the window between the time a vulnerability is discovered and the time it is exploited is shrinking. Consequently, security teams have less time to identify and fix problems before networks are subject to attacks.

Discovery/Attack Life Cycle

Source: Qualys Inc.

Copyright © 2004 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon