[ISN] Virus attack reveals flaw in network security strategies

From: InfoSec News (isnat_private)
Date: Mon Jan 27 2003 - 03:03:36 PST

  • Next message: InfoSec News: "[ISN] Internet Attack's Disruptions More Serious Than Many Thought Possible"

    http://www.nandotimes.com/technology/story/736677p-5363306c.html
    
    By ANICK JESDANUN, 
    AP Internet Writer
    
    NEW YORK (January 26, 2003 4:20 p.m. EST) - The latest virus-like
    attack on the Internet exposes more than a software flaw: The very
    strategy managers of computer networks typically adopt for security
    has proven inadequate.
    
    As network technicians continued Sunday to repair damages caused by
    the fast-spreading worm, government and private security experts
    worried that too many security managers are fixing problems as they
    occur, then moving on until the next outbreak.
    
    The worm that crippled tens of thousands of computers worldwide,
    congested the network for countless others and even disabled Bank of
    America cash machines Saturday took advantage of a vulnerability in
    some Microsoft Corp. software that had been discovered in July.
    
    Microsoft had made available the software updates needed to patch the
    vulnerability in its SQL Server 2000 software - but many system
    administrators had yet to install them.
    
    "There was a lot that could have been done between July and now," said
    Howard A. Schmidt, President Bush's No. 2 cybersecurity adviser. "We
    make sure we have air in our tires and brakes get checked. We also
    need to make sure we keep computers up-to-date."
    
    Saturday's worm sought out the flaw in SQL, a database product used
    mostly by businesses and governments.
    
    Once the worm found one, it infected that computer and from there
    continued seeking other victims by sending out thousands of probes a
    second, saturating many Internet data pipelines.
    
    Unlike most viruses and worms, the latest spread directly through
    network connections and did not need e-mail as a transmitter. Thus,
    only network administrators who run the servers, not end users, could
    have done anything to remedy the situation.
    
    According to Keynote Systems Inc., which measures Internet reliability
    and speed, network congestion increased download times at the largest
    U.S. Web sites by an average of 50 percent, and some sites were
    completely unavailable at times Saturday.
    
    Most services and sites were restored by Saturday evening, and
    security experts said Sunday that the problem was largely under
    control, though some worried of lingering infections when businesses
    reopen Monday.
    
    The FBI said Sunday that the attack's origins were still unknown.
    
    Bruce Schneier, chief technology officer at Counterpane Internet
    Security, said the latest attack proves that relying on patches is
    flawed "not because it's not effective, but many don't do it."
    
    Code Red and Nimda, two of the previous major outbreaks, also
    exploited known problems that had patches available.
    
    But with more than 4,000 new vulnerabilities reported last year,
    according to the government-funded CERT Coordination Center at
    Carnegie Mellon University, system administrators can have trouble
    keeping up.
    
    Vendors have mechanisms for notifying customers, but patches take time
    to install and could disrupt other systems and applications. Schmidt
    said many networks delay installing patches to fully test them first.
    
    Russ Cooper, a security analyst at TruSecure Corp., said patches are
    also complicated, and applying them out of order can undo an earlier
    fix.
    
    Microsoft spokesman Rick Miller said the company is working with
    network professionals to develop better tools, including ones to
    automatically scan systems for known vulnerabilities.
    
    Preventing the next outbreak, security experts say, will mean
    rethinking security. Favored approaches range from getting vendors to
    make better software to paying private companies more money to handle
    the brunt of the work.
    
    Microsoft, for one, has already pledged to improve its products. Just
    two days before the attack on its software, Microsoft chairman Bill
    Gates sent out an e-mail outlining such improvements as better support
    for "smart cards" to replace or augment computer passwords.
    
    Company executives have also said they want to make security updates
    automatic so users could grant permission once and have multiple
    patches installed over the Internet whenever needed. Network managers,
    however, worry that such automation could inadvertently introduce
    problems for other applications.
    
    Carnegie Mellon's Software Engineering Institute is among research
    centers working on improving security before software is shipped -
    lessening the need for patches, said Brian King, Internet security
    analyst at Carnegie's CERT center.
    
    Security companies that stand to profit are pushing for more financial
    commitment.
    
    "If you're paying someone to go out and be an advance tech support guy
    and hover in your network and hit the switches at the right time, it's
    going to cost money," said David Perry of anti-virus vendor Trend
    Micro. "But since there is a need for this, it is cost-effective to be
    proactive."
    
    Schneier's Counterpane has an intrusion detection service for
    containing damages once a threat is identified, while SecurityFocus
    sends out alerts to help network managers prioritize.
    
    George Kurtz, chief executive of security company Foundstone Inc.,
    said anti-virus and firewall products are no longer enough.
    
    "Security is a journey, not a destination," he said. "It needs
    continuous care and feeding like a child."
    
    AP Technology Writer Ted Bridis contributed to this story from
    Washington.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 05:47:15 PST