[ISN] Free benchmark could have found Slammer vulnerability

From: InfoSec News (isnat_private)
Date: Sun Feb 02 2003 - 22:22:22 PST

  • Next message: InfoSec News: "[ISN] Study: Slammer was fastest-spreading worm yet"

    JANUARY 31, 2003
    Not only could companies have easily slammed the door on the Slammer
    worm if they had installed the patch released by Microsoft Corp. six
    months ago, but they could also have uncovered the vulnerability
    exploited by the worm using a free benchmark developed jointly by the
    government and private sector.
    Industry experts and users said the Slammer worm should have been a
    nonissue for companies because the patches and a free tool capable of
    detecting the vulnerability exploited by the worm were available six
    months ago. That's important because it would have given companies
    advance warning that they were vulnerable and more time to test the
    patch, said users.
    In particular, they point to the issuance in July of the Consensus
    Minimum Security Benchmarks, also known as the Gold Standard.  
    Developed jointly by five federal agencies, including the National
    Security Agency (NSA) and the FBI's National Infrastructure Protection
    Center, as well as the SANS Institute and the Center for Internet
    Security (CIS), the Gold Standard benchmark can be used to test
    Windows 2000 Professional systems running as workstations for proper
    Alan Paller, director of research at SANS, said an NSA study of the
    benchmark concluded that by running it on a network a company could
    eliminate more than 90% of known vulnerabilities. And the
    database-specific vulnerabilities exploited by the Slammer worm would
    have been among those found, he said.
    Pat Hymes, vice president of Corporate Information Security at
    Wachovia Corp., a CIS member company based in Charlotte, N.C., said
    properly configured servers are an absolute necessity for security.  
    But maintaining service packs and "hot fixes" can be a challenge for
    any organization.
    "It can take a great deal of time and energy to download, test and
    implement service packs and hot fixes, especially in large
    organizations, where they can impact hundreds of applications and
    thousands of servers," said Hymes. "Software companies, like
    Microsoft, have to accept more accountability for this situation. The
    total cost of ownership for servers running some of these distributed
    OSs, databases and Web software [is] going through the roof due to the
    manpower being expended to maintain patches and respond to events like
    the SQL Slammer worm."
    Hymes added that the Gold Standard benchmark serves as an "excellent
    baseline" for security testing. And because it's available for free,
    "there's no reason not to use it."
    The challenge remains awareness, said Clint Kreitner, president of
    CIS, a Hershey, Pa.-based nonprofit security standards consortium of
    more than 170 companies. "We continue to fight an uphill battle
    getting the message out to organizations that competent security
    configuration and up-to-date patching is one thing that everyone can
    and should do to make a huge difference in making their systems more
    secure," Kreitner said.
    Maurice Rieffel, an IT security analyst at a major energy company in
    Louisiana, said, for example, that he was aware of the benchmark but
    didn't know it tested for the SQL database vulnerability exploited by
    Claude Bailey, an IT security analyst at one of the nation's largest
    financial management firms, said that while the Gold Standard is a
    good starting point, his security administrators say the problem isn't
    in detecting the vulnerability but in deploying the patches and fixes
    across an organization of 50,000 employees -- and guaranteeing that
    the patch won't cause more problems.
    "We tested the original patch [for the SQL vulnerability], and it had
    problems," said Bailey. Now, with the financial firm in the middle of
    tax season, there's too much to lose to deploy patches that break
    other parts of the network. As a result, the company has placed a
    freeze on any such maintenance until tax season is over.
    Roger Davis, an IT auditor at a global skin and body care products
    company in Utah, said a few hours upfront using the Gold Standard
    would have saved many companies hundreds of man-hours later.
    Said Bailey, "If you decide not to patch something, you're dead."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 03 2003 - 01:36:06 PST