[ISN] InfoSec 2003: 'Zero-day' attacks seen as growing threat

From: InfoSec News (isn@private)
Date: Fri Dec 12 2003 - 01:31:51 PST

  • Next message: InfoSec News: "[ISN] Windows 98 Users Face Increased Security Risk, Says Study"

    Story by Jaikumar Vijayan 
    DECEMBER 11, 2003
    NEW YORK -- "Zero-day" attacks that take advantage of software
    vulnerabilities for which there are no available fixes are emerging as
    a major threat to corporate security.
    More than ever, the threat underscores the need for companies to have
    safe configuration policies for software and systems, as well as good
    incident-response and patching capabilities, said users at the InfoSec
    2003 trade show here last week.
    "I'm very concerned about it," said Joseph Inhoff, LAN administrator
    at Lutron Electronics Co., a manufacturer of lighting equipment in
    Coopersburg, Pa.
    Because such attacks take advantage of flaws before software makers
    can fix them, the potential for damage from so-called zero-day
    exploits is something Lutron's management is especially worried about,
    Inhoff said. "I'm trying to figure out what I can do about it," said
    Inhoff, who was at the show to see how automated patching software
    could help bolster the company's response capabilities to such
    Although they have been seen as a major security threat for some time,
    there haven't yet been any major zero-day attacks.
    But users won't have to wait for long, warned Mary Ann Davidson, chief
    security officer at Oracle Corp. and a member of a panel discussing
    the topic at this week's event.
    For one thing, malicious hackers are getting better and faster at
    exploiting flaws, Davidson said. Last summer's Blaster worm, one of
    the most virulent and widespread ever, hit the Internet barely a month
    after Microsoft Corp. released a patch for the software flaw it
    exploited. A variant called Nachi, carrying a dangerous payload, hit
    users less than a week later. In contrast, January's SQL Slammer worm
    took eight months to appear after the vulnerability it targeted was
    first disclosed.
    "You can see that the timelines are collapsing," said Davidson. That
    trend suggests it's only a matter of time before users see attacks
    against flaws not yet disclosed or for which no patches are available,
    she said.
    The number of new vulnerabilities and exploits surfacing on security
    newsgroups is another indication that such attacks aren't far off,
    said Todd Kunkel, network systems security administrator at Adelphi
    University, a Garden City, N.Y-based school with more than 7,500
    Kunkel monitors such groups on a daily basis to try to keep abreast of
    new flaws and see if work-arounds are possible before any exploit code
    becomes available. "I try to find out if there is anything that I need
    to worry about and see how I can go about fixing it," he said.
    The relatively glacial pace at which some corporations patch their
    systems against known vulnerabilities also makes them attractive
    targets for both conventional and zero-day attacks, said Gerhard
    Eschelbeck, chief technology officer at Qualys Inc. in Redwood Shores,
    Every quarter, Qualys conducts over 1 million vulnerability scans on
    behalf of 1,300 clients and "several thousand" prospects, Eschelbeck
    said. One such scan in November showed that over 12,000 systems were
    vulnerable to a flaw in a Microsoft Windows Remote Procedure Call
    function for which no patches were available.
    The consequences can be "potentially devastating" for companies, said
    Dennis Brouwer, a senior vice president at SmartPipes Inc., a Dublin,
    Ohio-based provider of managed networked services. "Your services will
    depend entirely on how quickly you are able to respond to such
    attacks," he said.
    Having good processes in place for real-time vulnerability scanning
    and automated patching are key, Davidson said. It's also crucial for
    users to ensure that their software vendors are meeting specific
    safe-configuration requirements when products are shipped.
    Federal agencies are already headed down that path. The U.S.  
    Department of Energy in September signed a contract with Oracle under
    which the software vendor is required to meet a checklist of security
    settings when shipping software to the agency. Such measures are a
    good way to mitigate exposure to zero-day threats that take advantage
    of weak default settings, Davidson said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 12 2003 - 03:54:20 PST