Tech Alert Briefing for 8/14/2003

What the Blaster Worm
Teaches Us

When it comes right down to it, we got lucky with the Blaster worm.As far as worms go, it is relatively harmless.It does not destroy either hardware or data.It doesn't have any kind of malicious payload.And it even informs the user that his computer is infected.Nonetheless, it has caused a worldwide epidemic of infections, keeping technicians and security experts busy scrambling to download and install patches and clean infected machines.

BOL spoke to Lawrence Levine, founder and managing director for SecurePipe, Inc., about the lessons to be learned from the Blaster worm.Here's what Lawrence told us:

• When it comes to information security, you need to ask "How can I find the appropriate balance of paranoia and pragmatism?"
  
  
• The key is to look at the problem and say "What are the realistic things I can do?
  
  
• Recently,Gartner came out with a report, basically calling for the death of intrusion detection and hyping the use instead of intrusion prevention.That report was roundly criticized. Intrusion Prevention Systems hold a lot of promise for the future, but right now they are mainly hype.Intrusion detection, on the other hand,is a tangible, effective protective measure.It's important, and it's not going away any time soon.
  
  
• Most intrusion prevention solutions are gateway solutions, which means they only deal with Internet traffic.That isn't good enough.There is a strong argument in favor of a layered security model..As an example, one business was effectively protected from the Blaster wormby their firewalls and security policy, but they had a private line back to their parent corporation and they got hit through that private line.A gateway solution that only looked at Internet traffic didn't catch the worm coming in through the private line, but the next layer of security did.The intrusion detection system the company had in place detected the worm and they were able to contain the damage immediately.
  
  
• Many people don't understand the difference between what a firewall is designed to do, versus what an intrusion detection system is designed to do.Firewalls try to stop attacks.IDSs alert you to when a firewall, or other layer of security, has failed to stop the attacks or have been bypassed.
  
  
• Don't be na?ve enough to think that the only two avenues through which your network security may be compromised by an outsider are through something you receive via email, or a hacker that is deliberately targeting your institution.As the Blaster worm shows, it is possible for remote hackers to perform port scans of random blocks of IP addresses, looking for vulnerabilities.In this instance, the vulnerability related to a failure to install particular security patches.
  
  
• Another danger is that with the use of cryptography getting as common as it is, if a user on your network visits a Web site and is connected in an encrypted way, your firewall is going to let malicious code through without recognizing it as such, and your IDS system is not going to see that it's an attack.Imagine one of your employees surfing over on his lunch hour to an e-commerce site to place an order for something.Your network could be vulnerable to an attack because of that action.
  
  
• That brings up the whole people element of security.Information security is 20% technology; 80% industrial psychology.There is no substitute for good policies.You need to consider placing limits on where your employees can go on your computers.Besides the limits you place by policy, consider implementing technology to enforce the limits.
  
  
• Don't think that it's about the number of layers of security you have. If you try to do this by counting how many layers of security you have, you're almost certainly not looking at it from the right standpoint.What's more important it to look at what layers are appropriate.
  
  
• It's all about achieving security-related business functional goals.What are the resources that need to be protected?What are the tolerances?Are you connected to other partners?How?Every enterprise is different.To determine what security measures are appropriate, you need to have the experts look at your network infrastructure and look at your needs.
  
  
• But don't ever plan to just leave it all up to the experts!People on the inside need to be cognizant of security issues as well.You have to be thinking about the threats and vulnerabilities and countermeasures.Technological tools and outside services can give you time back so you can put it into other aspects of security, such as things that are hard to outsource.For example, things running on local machines that have daily impact on the entire organization need to be scrutinized and dealt with from within.Certain host-level intrusion detection systems are very hard to outsource, too.
  
  
• Recent news reports have told about an employee of a vendor who underwent an unfriendly termination from his employer.Using the knowledge he gained through his employment, he mounted an attack on a corporate customer of the vendor.Addressing employee issues like these is crucial to any sound information security program.You want to make sure that even with that knowledge, the person who has left won't be able to gain access to your systems, or those of your customers.Obviously, that means doing things like revoking the authentications pertaining to an individual when that individual leaves your employ.
  
  
• Go and make sure you're patched, not just for this Worm, but to close other security flaws that may be resident on your system.
  
  
• Come to grips with good security planning.It's not buying something.It's having a good plan and leveraging the right policies and technologies.There is no silver bullet.
  
  
• Be glad, when it comes to Blaster, thatthe person who did this was not more malicious.But think about this:the only reason we know about this is because it's obvious.Who's to say there's not something more malicious that we don't know about?You can't afford to not take precautions.

Blaster Worm in the News:

CNN:
Internet worm confounds home users; Experts say new strain has emerged

ABC News:
Asia Grapples with Variants of Blaster Worm
Techs Begin Task of Fixing Worm's Damage

MSNBC:
'Blaster' still worming around Net

CBS News:
MS Worm Leaves Mess In Wake

Discovery Channel:
New Web Worm Promises 'Time Bomb'

Removal Instructions

• W32/Blaster Recovery Tips (CERT)
  
• F-Secure
  
• Symantec (Norton Anti-Virus)
  
• McAfee
  
• TrendMicro
  
• Bullguard
  
• Blasting the Blaster Bug; How to Remove the Latest Net Virus From Your PC
  

Operating System Security Guides

• National Security Agency: Security Recommendation Guides (Windows 2000, XP, NT)
  
  
• Center for Internet Security: Security Tools (Windows 2000 and NT, Solaris, Linux and HP-UX)
  
  
• SANS Institute -- Step-by-step guides for securing Windows 2000 and NT, Linux and Solaris.

Firewall Tips and Resources

• Follow These 10 Rules For Firewall Design and Help Secure Your Institution
  
• Guide to Firewall Configuration
  
• Network Security: Basic Firewall Configuration

Previous Tech Alerts